MISP logo

MISP galaxy is a simple method to express a large object called cluster that can be attached to MISP events or attributes. A cluster can be composed of one or more elements. Elements are expressed as key-values. There are default vocabularies available in MISP galaxy but those can be overwritten, replaced or updated as you wish. Existing clusters and vocabularies can be used as-is or as a template. MISP distribution can be applied to each cluster to permit a limited or broader distribution scheme.

Exploit-Kit

Exploit-Kit is an enumeration of some exploitation kits used by adversaries. The list includes document, browser and router exploit kits.It’s not meant to be totally exhaustive but aim at covering the most seen in the past 5 years.

Exploit-Kit is a cluster galaxy available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.
authors

Kafeine - Will Metcalf - KahuSecurity

Astrum

Astrum Exploit Kit is a private Exploit Kit used in massive scale malvertising campaigns. It’s notable by its use of Steganography

Astrum is also known as:

  • Stegano EK

Table 1. Table References

Links

http://malware.dontneedcoffee.com/2014/09/astrum-ek.html

http://www.welivesecurity.com/2016/12/06/readers-popular-websites-targeted-stealthy-stegano-exploit-kit-hiding-pixels-malicious-ads/

Terror EK

Terror EK is built on Hunter, Sundown and RIG EK code

Terror EK is also known as:

  • Blaze EK

  • Neptune EK

Table 2. Table References

Links

https://www.trustwave.com/Resources/SpiderLabs-Blog/Terror-Exploit-Kit—​More-like-Error-Exploit-Kit/

DNSChanger

DNSChanger Exploit Kit is an exploit kit targeting Routers via the browser

DNSChanger is also known as:

  • RouterEK

Table 4. Table References

Links

http://malware.dontneedcoffee.com/2015/05/an-exploit-kit-dedicated-to-csrf.html

https://www.proofpoint.com/us/threat-insight/post/home-routers-under-attack-malvertising-windows-android-devices

Hunter

Hunter EK is an evolution of 3Ros EK

Hunter is also known as:

  • 3ROS Exploit Kit

Table 5. Table References

Links

https://www.proofpoint.com/us/threat-insight/post/Hunter-Exploit-Kit-Targets-Brazilian-Banking-Customers

Kaixin

Kaixin is an exploit kit mainly seen behind compromised website in Asia

Kaixin is also known as:

  • CK vip

Table 6. Table References

Links

http://www.kahusecurity.com/2013/deobfuscating-the-ck-exploit-kit/

http://www.kahusecurity.com/2012/new-chinese-exploit-pack/

MWI

Microsoft Word Intruder is an exploit kit focused on Word and embedded flash exploits. The author wants to avoid their customer to use it in mass spam campaign, so it’s most often connected to semi-targeted attacks

Table 8. Table References

Links

https://www.fireeye.com/blog/threat-research/2015/04/a_new_word_document.html

https://www.sophos.com/en-us/medialibrary/PDFs/technical%20papers/sophos-microsoft-word-intruder-revealed.pdf

Neutrino

Neutrino Exploit Kit has been one of the major exploit kit from its launch in 2013 till september 2016 when it become private (defense name for this variation is Neutrino-v). This EK vanished from march 2014 till november 2014.

Neutrino is also known as:

  • Job314

  • Neutrino Rebooted

  • Neutrino-v

Table 9. Table References

Links

http://malware.dontneedcoffee.com/2013/03/hello-neutrino-just-one-more-exploit-kit.html

http://malware.dontneedcoffee.com/2014/11/neutrino-come-back.html

RIG

RIG is an exploit kit that takes its source in Infinity EK itself an evolution of Redkit. It became dominant after the fall of Angler, Nuclear Pack and the end of public access to Neutrino. RIG-v is the name given to RIG 4 when it was only accessible by "vip" customers and when RIG 3 was still in use.

RIG is also known as:

  • RIG 3

  • RIG-v

  • RIG 4

  • Meadgive

Table 10. Table References

Links

http://www.kahusecurity.com/2014/rig-exploit-pack/

https://www.trustwave.com/Resources/SpiderLabs-Blog/RIG-Reloaded---Examining-the-Architecture-of-RIG-Exploit-Kit-3-0/

https://www.trustwave.com/Resources/SpiderLabs-Blog/RIG-Exploit-Kit-%E2%80%93-Diving-Deeper-into-the-Infrastructure/

http://malware.dontneedcoffee.com/2016/10/rig-evolves-neutrino-waves-goodbye.html

Bizarro Sundown

Bizarro Sundown appears to be a fork of Sundown with added anti-analysis features

Bizarro Sundown is also known as:

  • Sundown-b

Table 12. Table References

Links

http://blog.trendmicro.com/trendlabs-security-intelligence/new-bizarro-sundown-exploit-kit-spreads-locky/

https://blog.malwarebytes.com/cybercrime/exploits/2016/10/yet-another-sundown-ek-variant/

GreenFlash Sundown

GreenFlash Sundown is a variation of Bizarro Sundown without landing

GreenFlash Sundown is also known as:

  • Sundown-GF

Table 13. Table References

Links

http://blog.trendmicro.com/trendlabs-security-intelligence/new-bizarro-sundown-exploit-kit-spreads-locky/

Angler

The Angler Exploit Kit has been the most popular and evolved exploit kit from 2014 to middle of 2016. There was several variation. The historical "indexm" variant was used to spread Lurk. A vip version used notabily to spread Poweliks, the "standard" commercial version, and a declinaison tied to load selling (mostly bankers) that can be associated to EmpirePPC

Angler is also known as:

  • XXX

  • AEK

  • Axpergle

Table 14. Table References

Links

https://blogs.sophos.com/2015/07/21/a-closer-look-at-the-angler-exploit-kit/

http://malware.dontneedcoffee.com/2015/12/xxx-is-angler-ek.html

http://malware.dontneedcoffee.com/2016/06/is-it-end-of-angler.html

BlackHole

The BlackHole Exploit Kit has been the most popular exploit kit from 2011 to 2013. Its activity stopped with Paunch’s arrest (all activity since then is anecdotal and based on an old leak)

BlackHole is also known as:

  • BHEK

Table 16. Table References

Links

https://www.trustwave.com/Resources/SpiderLabs-Blog/Blackhole-Exploit-Kit-v2/

https://nakedsecurity.sophos.com/exploring-the-blackhole-exploit-kit/

Bleeding Life

Bleeding Life is an exploit kit that became open source with its version 2

Bleeding Life is also known as:

  • BL

  • BL2

Table 17. Table References

Links

http://www.kahusecurity.com/2011/flash-used-in-idol-malvertisement/

http://thehackernews.com/2011/10/bleeding-life-2-exploit-pack-released.html

Fiesta

Fiesta Exploit Kit

Fiesta is also known as:

  • NeoSploit

  • Fiexp

Table 19. Table References

Links

http://blog.0x3a.com/post/110052845124/an-in-depth-analysis-of-the-fiesta-exploit-kit-an

http://www.kahusecurity.com/2011/neosploit-is-back/

Empire

The Empire Pack is a variation of RIG operated by a load seller. It’s being fed by many traffic actors

Empire is also known as:

  • RIG-E

Table 20. Table References

Links

http://malware.dontneedcoffee.com/2016/10/rig-evolves-neutrino-waves-goodbye.html

FlashPack

FlashPack EK got multiple fork. The most common variant seen was the standalone Flash version

FlashPack is also known as:

  • FlashEK

  • SafePack

  • CritXPack

  • Vintage Pack

Table 21. Table References

Links

http://malware.dontneedcoffee.com/2012/11/meet-critxpack-previously-vintage-pack.html

http://malware.dontneedcoffee.com/2013/04/meet-safe-pack-v20-again.html

GrandSoft

GrandSoft Exploit Kit was a quite common exploit kit used in 2012/2013

GrandSoft is also known as:

  • StampEK

  • SofosFO

Table 22. Table References

Links

http://malware.dontneedcoffee.com/2013/09/FinallyGrandSoft.html

http://malware.dontneedcoffee.com/2012/10/neosploit-now-showing-bh-ek-20-like.html

https://nakedsecurity.sophos.com/2012/08/24/sophos-sucks-malware/

HanJuan

Hanjuan EK was a one actor fed variation of Angler EK used in evolved malvertising chain targeting USA. It has been using a 0day (CVE-2015-0313) from beginning of December 2014 till beginning of February 2015

Table 23. Table References

Links

http://www.malwaresigs.com/2013/10/14/unknown-ek/

https://blog.malwarebytes.com/threat-analysis/2014/08/shining-some-light-on-the-unknown-exploit-kit/

http://blog.trendmicro.com/trendlabs-security-intelligence/a-closer-look-at-the-exploit-kit-in-cve-2015-0313-attack

https://twitter.com/kafeine/status/562575744501428226

Himan

Himan Exploit Kit

Himan is also known as:

  • High Load

Table 24. Table References

Links

http://malware.dontneedcoffee.com/2013/10/HiMan.html

Infinity

Infinity is an evolution of Redkit

Infinity is also known as:

  • Redkit v2.0

  • Goon

Table 26. Table References

Links

http://blog.talosintel.com/2013/11/im-calling-this-goon-exploit-kit-for-now.html

http://www.kahusecurity.com/2014/the-resurrection-of-redkit/

Nebula

Nebula Exploit Kit has been built on Sundown source and features an internal TDS

Table 28. Table References

Links

http://malware.dontneedcoffee.com/2017/03/nebula-exploit-kit.html

Niteris

Niteris was used mainly to target Russian.

Niteris is also known as:

  • CottonCastle

Table 29. Table References

Links

http://malware.dontneedcoffee.com/2014/06/cottoncastle.html

http://malware.dontneedcoffee.com/2015/05/another-look-at-niteris-post.html

Nuclear

The Nuclear Pack appeared in 2009 and has been one of the longer living one. Spartan EK was a landing less variation of Nuclear Pack

Nuclear is also known as:

  • NEK

  • Nuclear Pack

  • Spartan

  • Neclu

Table 30. Table References

Links

http://blog.checkpoint.com/2016/05/17/inside-nuclears-core-unraveling-a-ransomware-as-a-service-infrastructure/

Redkit

Redkit has been a major exploit kit in 2012. One of its specific features was to allow its access against a share of a percentage of the customer’s traffic

Table 33. Table References

Links

https://www.trustwave.com/Resources/SpiderLabs-Blog/A-Wild-Exploit-Kit-Appears----Meet-RedKit/

http://malware.dontneedcoffee.com/2012/05/inside-redkit.html

https://nakedsecurity.sophos.com/2013/05/09/redkit-exploit-kit-part-2/

Sakura

Description Here

Table 34. Table References

Links

http://www.xylibox.com/2012/01/sakura-exploit-pack-10.html

Sundown

Sundown Exploit Kit is mainly built out of stolen code from other exploit kits

Sundown is also known as:

  • Beps

  • Xer

  • Beta

Table 35. Table References

Links

http://malware.dontneedcoffee.com/2015/06/fast-look-at-sundown-ek.html

https://www.virusbulletin.com/virusbulletin/2015/06/beta-exploit-pack-one-more-piece-crimeware-infection-road

Sweet-Orange

Sweet Orange

Sweet-Orange is also known as:

  • SWO

  • Anogre

Table 36. Table References

Links

http://malware.dontneedcoffee.com/2012/12/juice-sweet-orange-2012-12.html

Unknown

Unknown Exploit Kit. This is a place holder for any undocumented Exploit Kit. If you use this tag, we will be more than happy to give the associated EK a deep look.

Table 38. Table References

Links

https://twitter.com/kafeine

https://twitter.com/node5

https://twitter.com/kahusecurity

Microsoft Activity Group actor

Activity groups as described by Microsoft.

Microsoft Activity Group actor is a cluster galaxy available in JSON format at https://github.com/MISP/misp-galaxy/blob/master/clusters/microsoft activity group actor.json[this location] The JSON format can be freely reused in your application or automatically enabled in MISP.
authors

Various

PROMETHIUM

PROMETHIUM is an activity group that has been active as early as 2012. The group primarily uses Truvasys, a first-stage malware that has been in circulation for several years. Truvasys has been involved in several attack campaigns, where it has masqueraded as one of server common computer utilities, including WinUtils, TrueCrypt, WinRAR, or SanDisk. In each of the campaigns, Truvasys malware evolved with additional features—this shows a close relationship between the activity groups behind the campaigns and the developers of the malware.

Table 39. Table References

Links

https://blogs.technet.microsoft.com/mmpc/2016/12/14/twin-zero-day-attacks-promethium-and-neodymium-target-individuals-in-europe/

NEODYMIUM

NEODYMIUM is an activity group that is known to use a backdoor malware detected by Microsoft as Wingbird. This backdoor’s characteristics closely match FinFisher, a government-grade commercial surveillance package. Data about Wingbird activity indicate that it is typically used to attack individual computers instead of networks.

Table 40. Table References

Links

https://blogs.technet.microsoft.com/mmpc/2016/12/14/twin-zero-day-attacks-promethium-and-neodymium-target-individuals-in-europe/

TERBIUM

Microsoft Threat Intelligence identified similarities between this recent attack and previous 2012 attacks against tens of thousands of computers belonging to organizations in the energy sector. Microsoft Threat Intelligence refers to the activity group behind these attacks as TERBIUM, following our internal practice of assigning rogue actors chemical element names.

Table 41. Table References

Links

https://blogs.technet.microsoft.com/mmpc/2016/12/09/windows-10-protection-detection-and-response-against-recent-attacks/

STRONTIUM

STRONTIUM has been active since at least 2007. Whereas most modern untargeted malware is ultimately profit-oriented, STRONTIUM mainly seeks sensitive information. Its primary institutional targets have included government bodies, diplomatic institutions, and military forces and installations in NATO member states and certain Eastern European countries. Additional targets have included journalists, political advisors, and organizations associated with political activism in central Asia. STRONTIUM is an activity group that usually targets government agencies, diplomatic institutions, and military organizations, as well as affiliated private sector organizations such as defense contractors and public policy research institutes. Microsoft has attributed more 0-day exploits to STRONTIUM than any other tracked group in 2016. STRONTIUM frequently uses compromised e-mail accounts from one victim to send malicious e-mails to a second victim and will persistently pursue specific targets for months until they are successful in compromising the victims’ computer.

STRONTIUM is also known as:

  • APT 28

  • APT28

  • Pawn Storm

  • Fancy Bear

  • Sednit

  • TsarTeam

  • TG-4127

  • Group-4127

  • Sofacy

  • Grey-Cloud

Table 42. Table References

Links

https://blogs.technet.microsoft.com/mmpc/2016/11/01/our-commitment-to-our-customers-security/

http://download.microsoft.com/download/4/4/C/44CDEF0E-7924-4787-A56A-16261691ACE3/Microsoft_Security_Intelligence_Report_Volume_19_A_Profile_Of_A_Persistent_Adversary_English.pdf

https://blogs.technet.microsoft.com/mmpc/2015/11/16/microsoft-security-intelligence-report-strontium/

DUBNIUM

DUBNIUM (which shares indicators with what Kaspersky researchers have called DarkHotel) is one of the activity groups that has been very active in recent years, and has many distinctive features.

DUBNIUM is also known as:

  • darkhotel

Table 43. Table References

Links

https://securelist.com/blog/research/71713/darkhotels-attacks-in-2015/

https://blogs.technet.microsoft.com/mmpc/2016/06/09/reverse-engineering-dubnium-2

https://blogs.technet.microsoft.com/mmpc/2016/06/20/reverse-engineering-dubniums-flash-targeting-exploit/

https://blogs.technet.microsoft.com/mmpc/2016/07/14/reverse-engineering-dubnium-stage-2-payload-analysis/

PLATINUM

PLATINUM has been targeting its victims since at least as early as 2009, and may have been active for several years prior. Its activities are distinctly different not only from those typically seen in untargeted attacks, but from many targeted attacks as well. A large share of targeted attacks can be characterized as opportunistic: the activity group changes its target profiles and attack geographies based on geopolitical seasons, and may attack institutions all over the world. Like many such groups, PLATINUM seeks to steal sensitive intellectual property related to government interests, but its range of preferred targets is consistently limited to specific governmental organizations, defense institutes, intelligence agencies, diplomatic institutions, and telecommunication providers in South and Southeast Asia. The group’s persistent use of spear phishing tactics (phishing attempts aimed at specific individuals) and access to previously undiscovered zero-day exploits have made it a highly resilient threat.

Table 44. Table References

Links

https://blogs.technet.microsoft.com/mmpc/2016/04/26/digging-deep-for-platinum/

http://download.microsoft.com/download/2/2/5/225BFE3E-E1DE-4F5B-A77B-71200928D209/Platinum%20feature%20article%20-%20Targeted%20attacks%20in%20South%20and%20Southeast%20Asia%20April%202016.pdf

BARIUM

Microsoft Threat Intelligence associates Winnti with multiple activity groups—collections of malware, supporting infrastructure, online personas, victimology, and other attack artifacts that the Microsoft intelligent security graph uses to categorize and attribute threat activity. Microsoft labels activity groups using code names derived from elements in the periodic table. In the case of this malware, the activity groups strongly associated with Winnti are BARIUM and LEAD. But even though they share the use of Winnti, the BARIUM and LEAD activity groups are involved in very different intrusion scenarios. BARIUM begins its attacks by cultivating relationships with potential victims—particularly those working in Business Development or Human Resources—on various social media platforms. Once BARIUM has established rapport, they spear-phish the victim using a variety of unsophisticated malware installation vectors, including malicious shortcut (.lnk) files with hidden payloads, compiled HTML help (.chm) files, or Microsoft Office documents containing macros or exploits. Initial intrusion stages feature the Win32/Barlaiy implant—notable for its use of social network profiles, collaborative document editing sites, and blogs for C&C. Later stages of the intrusions rely upon Winnti for persistent access. The majority of victims recorded to date have been in electronic gaming, multimedia, and Internet content industries, although occasional intrusions against technology companies have occurred.

Table 45. Table References

Links

https://blogs.technet.microsoft.com/mmpc/2017/01/25/detecting-threat-actors-in-recent-german-industrial-attacks-with-windows-defender-atp/

LEAD

In contrast, LEAD has established a far greater reputation for industrial espionage. In the past few years, LEAD’s victims have included: Multinational, multi-industry companies involved in the manufacture of textiles, chemicals, and electronics Pharmaceutical companies A company in the chemical industry University faculty specializing in aeronautical engineering and research A company involved in the design and manufacture of motor vehicles A cybersecurity company focusing on protecting industrial control systems During these intrusions, LEAD’s objective was to steal sensitive data, including research materials, process documents, and project plans. LEAD also steals code-signing certificates to sign its malware in subsequent attacks. In most cases, LEAD’s attacks do not feature any advanced exploit techniques. The group also does not make special effort to cultivate victims prior to an attack. Instead, the group often simply emails a Winnti installer to potential victims, relying on basic social engineering tactics to convince recipients to run the attached malware. In some other cases, LEAD gains access to a target by brute-forcing remote access login credentials, performing SQL injection, or exploiting unpatched web servers, and then they copy the Winnti installer directly to compromised machines.

Table 46. Table References

Links

https://blogs.technet.microsoft.com/mmpc/2017/01/25/detecting-threat-actors-in-recent-german-industrial-attacks-with-windows-defender-atp/

ZIRCONIUM

In addition to strengthening generic detection of EoP exploits, Microsoft security researchers are actively gathering threat intelligence and indicators attributable to ZIRCONIUM, the activity group using the CVE-2017-0005 exploit.

Table 47. Table References

Links

https://blogs.technet.microsoft.com/mmpc/2017/03/27/detecting-and-mitigating-elevation-of-privilege-exploit-for-cve-2017-0005/

Preventive Measure

Preventive measures based on the ransomware document overview as published in https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pubhtml# . The preventive measures are quite generic and can fit any standard Windows infrastructure and their security measures..

Preventive Measure is a cluster galaxy available in JSON format at https://github.com/MISP/misp-galaxy/blob/master/clusters/preventive measure.json[this location] The JSON format can be freely reused in your application or automatically enabled in MISP.
authors

Various

Backup and Restore Process

Make sure to have adequate backup processes on place and frequently test a restore of these backups. (Schrödinger’s backup - it is both existent and non-existent until you’ve tried a restore

Table 48. Table References

Links

http://windows.microsoft.com/en-us/windows/back-up-restore-faq#1TC=windows-7.[http://windows.microsoft.com/en-us/windows/back-up-restore-faq#1TC=windows-7.]

Block Macros

Disable macros in Office files downloaded from the Internet. This can be configured to work in two different modes: A.) Open downloaded documents in 'Protected View' B.) Open downloaded documents and block all macros

Table 49. Table References

Links

https://support.office.com/en-us/article/Enable-or-disable-macros-in-Office-files-12b036fd-d140-4e74-b45e-16fed1a7e5c6?ui=en-US&rs=en-US&ad=US

https://www.404techsupport.com/2016/04/office2016-macro-group-policy/?utm_source=dlvr.it&utm_medium=twitter

Filter Attachments Level 1

Filter the following attachments on your mail gateway: .ade, .adp, .ani, .bas, .bat, .chm, .cmd, .com, .cpl, .crt, .exe, .hlp, .ht, .hta, .inf, .ins, .isp, .jar, .job, .js, .jse, .lnk, .mda, .mdb, .mde, .mdz, .msc, .msi, .msp, .mst, .ocx, .pcd, .ps1, .reg, .scr, .sct, .shs, .svg, .url, .vb, .vbe, .vbs, .wbk, .wsc, .ws, .wsf, .wsh, .exe, .pif, .pub

Filter Attachments Level 2

Filter the following attachments on your mail gateway: (Filter expression of Level 1 plus) .doc, .xls, .rtf, .docm, .xlsm, .pptm

Show File Extensions

Set the registry key "HideFileExt" to 0 in order to show all file extensions, even of known file types. This helps avoiding cloaking tricks that use double extensions. (e.g. "not_a_virus.pdf.exe")

Table 52. Table References

Links

http://www.sevenforums.com/tutorials/10570-file-extensions-hide-show.htm

Enforce UAC Prompt

Enforce administrative users to confirm an action that requires elevated rights

Table 53. Table References

Links

https://technet.microsoft.com/en-us/library/dd835564(WS.10).aspx

Remove Admin Privileges

Remove and restrict administrative rights whenever possible. Malware can only modify files that users have write access to.

Restrict Workstation Communication

Activate the Windows Firewall to restrict workstation to workstation communication

Sandboxing Email Input

Using sandbox that opens email attachments and removes attachments based on behavior analysis

Execution Prevention

Software that allows to control the execution of processes - sometimes integrated in Antivirus software Free: AntiHook, ProcessGuard, System Safety Monitor

Change Default "Open With" to Notepad

Force extensions primarily used for infections to open up in Notepad rather than Windows Script Host or Internet Explorer

Table 54. Table References

Links

https://bluesoul.me/2016/05/12/use-gpo-to-change-the-default-behavior-of-potentially-malicious-file-extensions/

File Screening

Server-side file screening with the help of File Server Resource Manager

Table 55. Table References

Links

http://jpelectron.com/sample/Info%20and%20Documents/Stop%20crypto%20badware%20before%20it%20ruins%20your%20day/1-PreventCrypto-Readme.htm

EMET

Detect and block exploitation techniques

Table 57. Table References

Links

www.microsoft.com/emet[www.microsoft.com/emet]

http://windowsitpro.com/security/control-emet-group-policy

Sysmon

Detect Ransomware in an early stage with new Sysmon 5 File/Registry monitoring

Table 58. Table References

Links

https://twitter.com/JohnLaTwC/status/799792296883388416

Ransomware

Ransomware is a cluster galaxy available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.

Nhtnwcuf Ransomware (Fake)

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..

Table 59. Table References

Links

https://id-ransomware.blogspot.co.il/2017/03/nhtnwcuf-ransomware.html

CryptoJacky Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..

Table 60. Table References

Links

https://id-ransomware.blogspot.co.il/2017/03/cryptojacky-ransomware.html

https://twitter.com/jiriatvirlab/status/838779371750031360

Kaenlupuf Ransomware

About: This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..

Table 61. Table References

Links

https://id-ransomware.blogspot.co.il/2017/03/kaenlupuf-ransomware.html

EnjeyCrypter Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..

Table 62. Table References

Links

https://id-ransomware.blogspot.co.il/2017/03/enjey-crypter-ransomware.html

https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-march-10th-2017-spora-cerber-and-technical-writeups/

https://www.bleepingcomputer.com/news/security/embittered-enjey-ransomware-developer-launches-ddos-attack-on-id-ransomware/

Dangerous Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..

Table 63. Table References

Links

https://id-ransomware.blogspot.co.il/2017/03/dangerous-ransomware.html

Vortex Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..

Vortex Ransomware is also known as:

  • Ŧl๏tєгค гคภร๏๓ฬคгє

Table 64. Table References

Links

https://id-ransomware.blogspot.co.il/2017/03/vortex-ransomware.html

https://twitter.com/struppigel/status/839778905091424260

GC47 Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..

Table 65. Table References

Links

https://id-ransomware.blogspot.co.il/2017/03/gc47-ransomware.html

RozaLocker Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..

Table 66. Table References

Links

https://id-ransomware.blogspot.co.il/2017/03/rozalocker-ransomware.html

https://twitter.com/jiriatvirlab/status/840863070733885440

CryptoMeister Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..

Table 67. Table References

Links

https://id-ransomware.blogspot.co.il/2017/03/cryptomeister-ransomware.html

GG Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. Poses as Hewlett-Packard 2016

Table 68. Table References

Links

https://id-ransomware.blogspot.co.il/2017/03/gg-ransomware.html

Project34 Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..

Table 69. Table References

Links

https://id-ransomware.blogspot.co.il/2017/03/project34-ransomware.html

PetrWrap Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..

Table 70. Table References

Links

https://id-ransomware.blogspot.co.il/2017/03/petrwrap-ransomware.html

https://www.bleepingcomputer.com/news/security/petrwrap-ransomware-is-a-petya-offspring-used-in-targeted-attacks/

https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-march-17th-2017-revenge-petrwrap-and-captain-kirk/

https://securelist.com/blog/research/77762/petrwrap-the-new-petya-based-ransomware-used-in-targeted-attacks/

Karmen Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. RaaS, baed on HiddenTear

Table 71. Table References

Links

https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-march-17th-2017-revenge-petrwrap-and-captain-kirk/

https://id-ransomware.blogspot.co.il/2017/03/karmen-ransomware.html

https://twitter.com/malwrhunterteam/status/841747002438361089

Revenge Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. CryptoMix / CryptFile2 Variant

Table 72. Table References

Links

https://www.bleepingcomputer.com/news/security/revenge-ransomware-a-cryptomix-variant-being-distributed-by-rig-exploit-kit/

https://id-ransomware.blogspot.co.il/2017/03/revenge-ransomware.html

Turkish FileEncryptor Ransomware

his is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..

Turkish FileEncryptor Ransomware is also known as:

  • Fake CTB-Locker

Table 73. Table References

Links

https://id-ransomware.blogspot.co.il/2017/03/turkish-fileencryptor.html

https://twitter.com/JakubKroustek/status/842034887397908480

ZinoCrypt Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..

Table 75. Table References

Links

https://id-ransomware.blogspot.co.il/2017/03/zinocrypt-ransomware.html

https://twitter.com/demonslay335?lang=en

https://twitter.com/malwrhunterteam/status/842781575410597894

Crptxxx Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. Uses @enigma0x3’s UAC bypass

Table 76. Table References

Links

https://id-ransomware.blogspot.co.il/2017/03/crptxxx-ransomware.html

https://www.bleepingcomputer.com/forums/t/609690/ultracrypter-cryptxxx-ultradecrypter-ransomware-help-topic-crypt-cryp1/page-84

http://www.fixinfectedpc.com/uninstall-crptxxx-ransomware-from-pc

https://twitter.com/malwrhunterteam/status/839467168760725508

MOTD Ransomware

About: This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..

Table 77. Table References

Links

https://id-ransomware.blogspot.co.il/2017/03/motd-ransomware.html

https://www.bleepingcomputer.com/forums/t/642409/motd-of-ransome-hostage/

https://www.bleepingcomputer.com/forums/t/642409/motd-ransomware-help-support-topics-motdtxt-and-enc-extension/

CryptoDevil Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..

Table 78. Table References

Links

https://id-ransomware.blogspot.co.il/2017/03/cryptodevil-ransomware.html

https://twitter.com/PolarToffee/status/843527738774507522

FabSysCrypto Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. Based on HiddenTear

Table 79. Table References

Links

https://id-ransomware.blogspot.co.il/2017/03/fabsyscrypto-ransomware.html

https://twitter.com/struppigel/status/837565766073475072

Lock2017 Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..

Table 80. Table References

Links

https://id-ransomware.blogspot.co.il/2017/03/lock2017-ransomware.html

RedAnts Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..

Table 81. Table References

Links

https://id-ransomware.blogspot.co.il/2017/03/redants-ransomware.html

ConsoleApplication1 Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..

Table 82. Table References

Links

https://id-ransomware.blogspot.co.il/2017/03/consoleapplication1-ransomware.html

KRider Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..

Table 83. Table References

Links

https://id-ransomware.blogspot.co.il/2017/03/krider-ransomware.html

https://twitter.com/malwrhunterteam/status/836995570384453632

CYR-Locker Ransomware (FAKE)

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. The following note is what you get if you put in the wrong key code: https://3.bp.blogspot.com/-qsS0x-tHx00/WLM3kkKWKAI/AAAAAAAAEDg/Zhy3eYf-ek8fY5uM0yHs7E0fEFg2AXG-gCLcB/s1600/failed-key.jpg

Table 84. Table References

Links

https://id-ransomware.blogspot.co.il/search?updated-min=2017-01-01T00:00:00-08:00&updated-max=2018-01-01T00:00:00-08:00&max-results=50

DotRansomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..

Table 85. Table References

Links

https://id-ransomware.blogspot.co.il/2017/02/dotransomware.html

Unlock26 Ransomware

About: This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments.All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..

Table 86. Table References

Links

https://id-ransomware.blogspot.co.il/2017/02/unlock26-ransomware.html

https://www.bleepingcomputer.com/news/security/new-raas-portal-preparing-to-spread-unlock26-ransomware/

PicklesRansomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. Python Ransomware

Table 87. Table References

Links

https://id-ransomware.blogspot.co.il/2017/02/pickles-ransomware.html

https://twitter.com/JakubKroustek/status/834821166116327425

Vanguard Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. This ransomware poses at MSOffice to fool users into opening the infected file. GO Ransomware

Table 88. Table References

Links

https://id-ransomware.blogspot.co.il/2017/02/vanguard-ransomware.html

https://twitter.com/JAMESWT_MHT/status/834783231476166657

PyL33T Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..

Table 89. Table References

Links

https://id-ransomware.blogspot.co.il/2017/02/pyl33t-ransomware.html

https://twitter.com/Jan0fficial/status/834706668466405377

TrumpLocker Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. This is the old VenusLocker in disquise .To delete shadow files use the following commend: C:\Windows\system32\wbem\wmic.exe shadowcopy delete&exit https://2.bp.blogspot.com/-8qIiBHnE9yU/WK1mZn3LgwI/AAAAAAAAD-M/ZKl7_Iwr1agYtlVO3HXaUrwitcowp5_NQCLcB/s1600/lock.jpg

Table 90. Table References

Links

https://www.bleepingcomputer.com/news/security/new-trump-locker-ransomware-is-a-fraud-just-venuslocker-in-disguise/

https://id-ransomware.blogspot.co.il/2017/02/trumplocker.html

https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-february-24th-2017-trump-locker-macos-rw-and-cryptomix/

Damage Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. Written in Delphi

Table 91. Table References

Links

https://id-ransomware.blogspot.co.il/2017/02/damage-ransomware.html

https://decrypter.emsisoft.com/damage

https://twitter.com/demonslay335/status/835664067843014656

XYZWare Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. Based on HiddenTear

Table 92. Table References

Links

https://id-ransomware.blogspot.co.il/2017/02/xyzware-ransomware.html

https://twitter.com/malwrhunterteam/status/833636006721122304

YouAreFucked Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..

Table 93. Table References

Links

https://www.enigmasoftware.com/youarefuckedransomware-removal/

CryptConsole 2.0 Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..

Table 94. Table References

Links

https://id-ransomware.blogspot.co.il/2017/02/cryptconsole-2-ransomware.html

BarRax  Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. Based on HiddenTear

BarRax  Ransomware is also known as:

  • BarRaxCrypt  Ransomware

Table 95. Table References

Links

https://id-ransomware.blogspot.co.il/2017/02/barraxcrypt-ransomware.html

https://twitter.com/demonslay335/status/835668540367777792

CryptoLocker by NTK Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..

Table 96. Table References

Links

https://id-ransomware.blogspot.co.il/2017/02/cryptolocker-by-ntk-ransomware.html

UserFilesLocker Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..

UserFilesLocker Ransomware is also known as:

  • CzechoSlovak Ransomware

Table 97. Table References

Links

https://id-ransomware.blogspot.co.il/2017/02/userfileslocker-ransomware.html

AvastVirusinfo Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. PAYING RANSOM IS USELESS, YOUR FILES WILL NOT BE FIXED. THE DAMAGE IS PERMENENT!!!!

Table 98. Table References

Links

https://id-ransomware.blogspot.co.il/2017_03_01_archive.html

https://id-ransomware.blogspot.co.il/2017/03/avastvirusinfo-ransomware.html

FabSysCrypto Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..

Table 99. Table References

Links

https://id-ransomware.blogspot.co.il/2017/03/fabsyscrypto-ransomware.html

SuchSecurity Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..

Table 100. Table References

Links

https://id-ransomware.blogspot.co.il/2017/03/suchsecurity-ransomware.html

PleaseRead Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..

PleaseRead Ransomware is also known as:

  • VHDLocker Ransomware

Table 101. Table References

Links

https://id-ransomware.blogspot.co.il/2017/02/vhd-ransomware.html

Kasiski Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..

Table 102. Table References

Links

https://id-ransomware.blogspot.co.il/2017/02/kasiski-ransomware.html

https://twitter.com/MarceloRivero/status/832302976744173570

https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-february-17th-2017-live-hermes-reversing-and-scada-poc-ransomware/

Fake Locky Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..

Fake Locky Ransomware is also known as:

  • Locky Impersonator Ransomware

Table 103. Table References

Links

https://www.bleepingcomputer.com/news/security/the-locky-ransomware-encrypts-local-files-and-unmapped-network-shares/

https://id-ransomware.blogspot.co.il/2017/02/locky-impersonator.html

https://www.bleepingcomputer.com/news/security/locky-ransomware-switches-to-thor-extension-after-being-a-bad-malware/

CryptoShield 1.0 Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. CryptoShield 1.0 is a ransomware from the CryptoMix family.

Table 104. Table References

Links

https://id-ransomware.blogspot.co.il/2017/02/cryptoshield-2-ransomware.html

https://www.bleepingcomputer.com/news/security/cryptomix-variant-named-cryptoshield-1-0-ransomware-distributed-by-exploit-kits/

Hermes Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Filemarker: "HERMES"

Table 105. Table References

Links

https://id-ransomware.blogspot.co.il/2017/02/hermes-ransomware.html

https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-february-17th-2017-live-hermes-reversing-and-scada-poc-ransomware/

https://www.bleepingcomputer.com/forums/t/642019/hermes-ransomware-help-support-decrypt-informationhtml/

https://www.bleepingcomputer.com/news/security/hermes-ransomware-decrypted-in-live-video-by-emsisofts-fabian-wosar/

LoveLock Ransomware or Love2Lock Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..

Table 106. Table References

Links

https://id-ransomware.blogspot.co.il/2017/02/lovelock-ransomware.html

Wcry Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..

Table 107. Table References

Links

https://id-ransomware.blogspot.co.il/2017/02/wcry-ransomware.html

DUMB Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..

Table 108. Table References

Links

https://id-ransomware.blogspot.co.il/2017/02/dumb-ransomware.html

https://twitter.com/bleepincomputer/status/816053140147597312?lang=en

X-Files

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..

Table 109. Table References

Links

https://id-ransomware.blogspot.co.il/2017_02_01_archive.html

https://id-ransomware.blogspot.co.il/2017/02/x-files-ransomware.html

Polski Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. The Ransom is 249$ and the hacker demands that the victim gets in contact through e-mail and a Polish messenger called Gadu-Gadu.

Table 110. Table References

Links

https://id-ransomware.blogspot.co.il/2017/02/polski-ransomware.html

YourRansom Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. This hacker demands that the victim contacts him through email and decrypts the files for FREE.(moreinfo in the link below)

Table 111. Table References

Links

https://id-ransomware.blogspot.co.il/2017/02/yourransom-ransomware.html

https://www.bleepingcomputer.com/news/security/yourransom-is-the-latest-in-a-long-line-of-prank-and-educational-ransomware/

https://twitter.com/_ddoxer/status/827555507741274113

Ranion RaasRansomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Ranion Raas gives the opportunity to regular people to buy and distribute ransomware for a very cheap price. (More info in the link below). RaaS service

Table 112. Table References

Links

https://id-ransomware.blogspot.co.il/2017/02/ranion-raas.html

https://www.bleepingcomputer.com/news/security/ranion-ransomware-as-a-service-available-on-the-dark-web-for-educational-purposes/

Potato Ransomware

Wants a ransom to get the victim’s files back . Originated in English. Spread worldwide.

Table 113. Table References

Links

https://id-ransomware.blogspot.co.il/2017/01/polato-ransomware.html

of Ransomware: OpenToYou (Formerly known as OpenToDecrypt)

This ransomware is originated in English, therefore could be used worldwide. Ransomware is spread with the help of email spam, fake ads, fake updates, infected install files.

Table 114. Table References

Links

https://id-ransomware.blogspot.co.il/2017/01/opentodecrypt-ransomware.html

RansomPlus

Author of this ransomware is sergej. Ransom is 0.25 bitcoins for the return of files. Originated in English. Used worldwide. This ransomware is spread with the help of email spam, fake ads, fake updates, infected install files.

Table 115. Table References

Links

http://www.2-spyware.com/remove-ransomplus-ransomware-virus.html

https://id-ransomware.blogspot.co.il/2017/01/ransomplus-ransomware.html

https://twitter.com/jiriatvirlab/status/825411602535088129

CryptConsole

This ransomware does not actually encrypt your file, but only changes the names of your files, just like Globe Ransomware. This ransomware is spread with the help of email spam, fake ads, fake updates, infected install files

Table 116. Table References

Links

https://id-ransomware.blogspot.co.il/2017/01/cryptconsole-ransomware.html

https://www.bleepingcomputer.com/forums/t/638344/cryptconsole-uncrypteoutlookcom-support-topic-how-decrypt-fileshta/

https://twitter.com/PolarToffee/status/824705553201057794

ZXZ Ramsomware

Originated in English, could affect users worldwide, however so far only reports from Saudi Arabia. The malware name founded by a windows server tools is called win32/wagcrypt.A

Table 117. Table References

Links

https://www.bleepingcomputer.com/forums/t/638191/zxz-ransomware-support-help-topic-zxz/?hl=%2Bzxz#entry4168310

https://id-ransomware.blogspot.co.il/2017/01/zxz-ransomware.html

VxLock Ransomware

Developed in Visual Studios in 2010. Original name is VxCrypt. This ransomware encrypts your files, including photos, music, MS office, Open Office, PDF… etc

Table 118. Table References

Links

https://id-ransomware.blogspot.co.il/2017/01/vxlock-ransomware.html

FunFact Ransomware

Funfact uses an open code for GNU Privacy Guard (GnuPG), then asks to email them to find out the amout of bitcoin to send (to receive a decrypt code). Written in English, can attach all over the world. The ransom is 1.22038 BTC, which is 1100USD.

Table 119. Table References

Links

https://id-ransomware.blogspot.co.il/2017/01/funfact.html

http://www.enigmasoftware.com/funfactransomware-removal/

ZekwaCrypt Ransomware

First spotted in May 2016, however made a big comeback in January 2017. It’s directed to English speaking users, therefore is able to infect worldwide. Ransomware is spread with the help of email spam, fake ads, fake updates, infected install files.

Table 120. Table References

Links

https://id-ransomware.blogspot.co.il/2016/06/zekwacrypt-ransomware.html

http://www.2-spyware.com/remove-zekwacrypt-ransomware-virus.html

Sage 2.0 Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. This ransomware attacks your MS Office by offering a Micro to help with your program, but instead incrypts all your files if the used id not protected. Predecessor CryLocker

Table 121. Table References

Links

https://id-ransomware.blogspot.co.il/2017/01/sage-2-ransomware.html

https://isc.sans.edu/forums/diary/Sage+20+Ransomware/21959/

http://www.securityweek.com/sage-20-ransomware-demands-2000-ransom

https://www.bleepingcomputer.com/news/security/sage-2-0-ransomware-gearing-up-for-possible-greater-distribution/

https://www.govcert.admin.ch/blog/27/sage-2.0-comes-with-ip-generation-algorithm-ipga

CloudSword Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. Uses the name “Window Update” to confuse its victims. Then imitates the window update process , while turning off the Window Startup Repair and changes the BootStatusPolicy using these commands: bcdedit.exe /set {default} recoveryenabled No bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures

Table 122. Table References

Links

https://id-ransomware.blogspot.co.il/2017/01/cloudsword.html

http://bestsecuritysearch.com/cloudsword-ransomware-virus-removal-steps-protection-updates/

https://twitter.com/BleepinComputer/status/822653335681593345

DN

It’s directed to English speaking users, therefore is able to infect worldwide. Uses the name “Chrome Update” to confuse its victims. Then imitates the chrome update process ,while encrypting the files. DO NOT pay the ransom, since YOUR COMPUTER WILL NOT BE RESTORED FROM THIS MALWARE!!!!

DN is also known as:

  • Fake

Table 123. Table References

Links

https://id-ransomware.blogspot.co.il/2017/01/dn-donotopen.html

GarryWeber Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. Its original name is FileSpy and FileSpy Application. It is spread using email spam, fake updates, infected attachments and so on. It encryps all your files, including: music, MS Office, Open Office, pictures etc..

Table 124. Table References

Links

https://id-ransomware.blogspot.co.il/2017/01/garryweber.html

Satan Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. Its original name is RAAS RANSOMWARE. It is spread using email spam, fake updates, infected attachments and so on. It encryps all your files, including: music, MS Office, Open Office, pictures etc.. This ransomware promotes other to download viruses and spread them as ransomware to infect other users and keep 70% of the ransom. (leaving the other 30% to Satan) https://3.bp.blogspot.com/-7fwX40eYL18/WH-tfpNjDgI/AAAAAAAADPk/KVP_ji8lR0gENCMYhb324mfzIFFpiaOwACLcB/s1600/site-raas.gif RaaS

Table 125. Table References

Links

https://id-ransomware.blogspot.co.il/2017/01/satan-raas.html

https://www.bleepingcomputer.com/forums/t/637811/satan-ransomware-help-support-topic-stn-extension-help-decrypt-fileshtml/

https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-january-20th-2017-satan-raas-spora-locky-and-more/

https://www.bleepingcomputer.com/news/security/new-satan-ransomware-available-through-a-ransomware-as-a-service-/

https://twitter.com/Xylit0l/status/821757718885236740

Havoc

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, infected attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures , videos, shared online files etc..

Havoc is also known as:

  • HavocCrypt Ransomware

Table 126. Table References

Links

https://id-ransomware.blogspot.co.il/2017/01/havoc-ransomware.html

CryptoSweetTooth Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Its fake name is Bitcoin and maker’s name is Santiago. Work of the encrypted requires the user to have .NET Framework 4.5.2. on his computer.

Table 127. Table References

Links

https://id-ransomware.blogspot.co.il/2017/01/cryptosweettooth.html

http://sensorstechforum.com/remove-cryptosweettooth-ransomware-restore-locked-files/

Kaandsona Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. The word Kaandsona is Estonian, therefore the creator is probably from Estonia. Crashes before it encrypts

Kaandsona Ransomware is also known as:

  • RansomTroll Ransomware

  • Käändsõna Ransomware

Table 128. Table References

Links

https://id-ransomware.blogspot.co.il/2017/01/kaandsona-ransomtroll.html

https://twitter.com/BleepinComputer/status/819927858437099520

LambdaLocker Ransomware

It’s directed to English and Chinese speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Python Ransomware

Table 129. Table References

Links

https://id-ransomware.blogspot.co.il/2017/01/lambdalocker.html

http://cfoc.org/how-to-restore-files-affected-by-the-lambdalocker-ransomware/

NMoreia 2.0 Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..

NMoreia 2.0 Ransomware is also known as:

  • HakunaMatataRansomware

Table 130. Table References

Links

https://id-ransomware.blogspot.co.il/2017/01/hakunamatata.html

https://id-ransomware.blogspot.co.il/2016_03_01_archive.html

Marlboro Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Ransom is .2 bitcoin, however there is no point of even trying to pay, since this damage is irreversible. Once the ransom is paid the hacker does not return decrypt the files. Another name is DeMarlboro and it is written in language C++. Pretend to encrypt using RSA-2048 and AES-128 (really it’s just XOR)

Table 131. Table References

Links

https://id-ransomware.blogspot.co.il/2017/01/marlboro.html

https://decrypter.emsisoft.com/marlboro

https://www.bleepingcomputer.com/news/security/marlboro-ransomware-defeated-in-one-day/

Spora Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Sample of a spam email with a viral attachment: https://4.bp.blogspot.com/-KkJXiHG80S0/WHX4TBpkamI/AAAAAAAADDg/F_bN796ndMYnzfUsgSWMXhRxFf3Ic-HtACLcB/s1600/spam-email.png

Table 132. Table References

Links

https://id-ransomware.blogspot.co.il/2017/01/spora-ransomware.html

https://blog.gdatasoftware.com/2017/01/29442-spora-worm-and-ransomware

http://blog.emsisoft.com/2017/01/10/from-darknet-with-love-meet-spora-ransomware/

CryptoKill Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. The files get encrypted, but the decrypt key is not available. NO POINT OF PAYING THE RANSOM, THE FILES WILL NOT BE RETURNED.

Table 133. Table References

Links

https://id-ransomware.blogspot.co.il/2017/02/cryptokill-ransomware.html

All_Your_Documents Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..

Table 134. Table References

Links

https://id-ransomware.blogspot.co.il/2017/02/allyourdocuments-ransomware.html

SerbRansom 2017 Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. The ransom is 500$ in bitcoins. The name of the hacker is R4z0rx0r Serbian Hacker.

Table 135. Table References

Links

https://id-ransomware.blogspot.co.il/2017/02/serbransom-2017.html

https://www.bleepingcomputer.com/news/security/ultranationalist-developer-behind-serbransom-ransomware/

https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-february-10th-2017-serpent-spora-id-ransomware/

https://twitter.com/malwrhunterteam/status/830116190873849856

Fadesoft Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. The ransom is 0.33 bitcoins.

Table 136. Table References

Links

https://id-ransomware.blogspot.co.il/2017/02/fadesoft-ransomware.html

https://twitter.com/malwrhunterteam/status/829768819031805953

https://twitter.com/malwrhunterteam/status/838700700586684416

HugeMe Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..

Table 137. Table References

Links

https://id-ransomware.blogspot.co.il/2017/02/hugeme-ransomware.html

https://www.ozbargain.com.au/node/228888?page=3

https://id-ransomware.blogspot.co.il/2016/04/magic-ransomware.html

DynA-Crypt Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..

DynA-Crypt Ransomware is also known as:

  • DynA CryptoLocker Ransomware

Table 138. Table References

Links

https://id-ransomware.blogspot.co.il/2017/02/dyna-crypt-ransomware.html

https://www.bleepingcomputer.com/news/security/dyna-crypt-not-only-encrypts-your-files-but-also-steals-your-info/

Serpent 2017 Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..

Serpent 2017 Ransomware is also known as:

  • Serpent Danish Ransomware

Table 139. Table References

Links

https://id-ransomware.blogspot.co.il/2017/02/serpent-danish-ransomware.html

Erebus 2017 Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..

Table 140. Table References

Links

https://id-ransomware.blogspot.co.il/2017/02/erebus-2017-ransomware.html

https://www.bleepingcomputer.com/news/security/erebus-ransomware-utilizes-a-uac-bypass-and-request-a-90-ransom-payment/

Cyber Drill Exercise

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..

Cyber Drill Exercise is also known as:

  • Ransomuhahawhere

Table 141. Table References

Links

https://id-ransomware.blogspot.co.il/2017/02/ransomuhahawhere.html

Cancer Ransomware FAKE

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. This is a trollware that does not encrypt your files but makes your computer act crazy (like in the video in the link below). It is meant to be annoying and it is hard to erase from your PC, but possible.

Table 142. Table References

Links

https://id-ransomware.blogspot.co.il/2017/02/cancer-ransomware.html

https://www.bleepingcomputer.com/news/security/watch-your-computer-go-bonkers-with-cancer-trollware/

UpdateHost Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Poses as Microsoft Copyright 2017 and requests ransom in bitcoins.

Table 143. Table References

Links

https://id-ransomware.blogspot.co.il/2017/02/updatehost-ransomware.html

https://www.bleepingcomputer.com/startups/Windows_Update_Host-16362.html

Nemesis Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Ransom is 10 bitcoins.

Table 144. Table References

Links

https://id-ransomware.blogspot.co.il/2017/01/nemesis-ransomware.html

Evil Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Domain KZ is used, therefore it is assumed that the decrypter is from Kazakhstan. Coded in Javascript

Evil Ransomware is also known as:

  • File0Locked KZ Ransomware

Table 145. Table References

Links

https://id-ransomware.blogspot.co.il/2017/01/evil-ransomware.html

http://www.enigmasoftware.com/evilransomware-removal/

http://usproins.com/evil-ransomware-is-lurking/

https://twitter.com/jiriatvirlab/status/818443491713884161

https://twitter.com/PolarToffee/status/826508611878793219

Ocelot Ransomware (FAKE RANSOMWARE)

It’s directed to English speaking users, therefore is able to infect worldwide. This is a fake ransomware. Your files are not really encrypted, however the attacker does ask for a ransom of .03 bitcoins. It is still dangerous even though it is fake, he still go through to your computer.

Ocelot Ransomware (FAKE RANSOMWARE) is also known as:

  • Ocelot Locker Ransomware

Table 146. Table References

Links

https://id-ransomware.blogspot.co.il/2017/01/ocelot-ransomware.html

https://twitter.com/malwrhunterteam/status/817648547231371264

SkyName Ransomware

It’s directed to Czechoslovakianspeaking users. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Based on HiddenTear

SkyName Ransomware is also known as:

  • Blablabla Ransomware

Table 147. Table References

Links

https://id-ransomware.blogspot.co.il/2017/01/skyname-ransomware.html

https://twitter.com/malwrhunterteam/status/817079028725190656

MafiaWare Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Ransom is 155$ inbitcoins. Creator of ransomware is called Mafia. Based on HiddenTear

MafiaWare Ransomware is also known as:

  • Depsex Ransomware

Table 148. Table References

Links

https://id-ransomware.blogspot.co.il/2017/01/mafiaware.html

https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-january-6th-2017-fsociety-mongodb-pseudo-darkleech-and-more/

https://twitter.com/BleepinComputer/status/817069320937345024

Globe3 Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Ransom is 3 bitcoins. Extesion depends on the config file. It seems Globe is a ransomware kit.

Globe3 Ransomware is also known as:

  • Purge Ransomware

Table 149. Table References

Links

https://id-ransomware.blogspot.co.il/2017/01/globe3-ransomware.html

https://www.bleepingcomputer.com/forums/t/624518/globe-ransomware-help-and-support-purge-extension-how-to-restore-fileshta/

https://www.bleepingcomputer.com/news/security/the-globe-ransomware-wants-to-purge-your-files/

https://decryptors.blogspot.co.il/2017/01/globe3-decrypter.html

https://decrypter.emsisoft.com/globe3

BleedGreen Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Ransom is 500$ in bitcoins. Requires .NET Framework 4.0. Gets into your startup system and sends you notes like the one below: https://4.bp.blogspot.com/-xrr6aoB_giw/WG1UrGpmZJI/AAAAAAAAC-Q/KtKdQP6iLY4LHaHgudF5dKs6i1JHQOBmgCLcB/s1600/green1.jpg

BleedGreen Ransomware is also known as:

  • FireCrypt Ransomware

Table 150. Table References

Links

https://id-ransomware.blogspot.co.il/2017/01/bleedgreen-ransomware.html

https://www.bleepingcomputer.com/news/security/firecrypt-ransomware-comes-with-a-ddos-component/

BTCamant Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Original name is Mission 1996 or Mission: “Impossible” (1996) (like the movie)

Table 151. Table References

Links

https://id-ransomware.blogspot.co.il/2017/01/btcamant.html

X3M Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. It is also possible to break in using RDP Windows with the help of Pass-the-Hash system, PuTTY, mRemoteNG, TightVNC, Chrome Remote Desktop, modified version of TeamViewer, AnyDesk, AmmyyAdmin, LiteManager, Radmin and others. Ransom is 700$ in Bitcoins.

Table 152. Table References

Links

https://id-ransomware.blogspot.co.il/2017/01/x3m-ransomware.html

GOG Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..

Table 153. Table References

Links

https://id-ransomware.blogspot.co.il/2017/01/gog-ransomware.html

https://twitter.com/BleepinComputer/status/816112218815266816

EdgeLocker

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Ransom is 0.1 Bitcoins. Original name is TrojanRansom.

Table 154. Table References

Links

https://id-ransomware.blogspot.co.il/2017/01/edgelocker-ransomware.html

https://twitter.com/BleepinComputer/status/815392891338194945

Red Alert

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Fake name: Microsoft Corporation. Based on HiddenTear

Table 155. Table References

Links

https://id-ransomware.blogspot.co.il/2017/01/red-alert-ransomware.html

https://twitter.com/JaromirHorejsi/status/815557601312329728

First

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..

Table 156. Table References

Links

https://id-ransomware.blogspot.co.il/2017/01/first-ransomware.html

XCrypt Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Written on Delphi. The user requests the victim to get in touch with him through ICQ to get the ransom and return the files.

Table 157. Table References

Links

https://id-ransomware.blogspot.co.il/2017/01/xcrypt-ransomware.html

https://twitter.com/JakubKroustek/status/825790584971472902

7Zipper Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..

Table 158. Table References

Links

https://id-ransomware.blogspot.co.il/2017/01/7zipper-ransomware.html

https://1.bp.blogspot.com/-ClM0LCPjQuk/WI-BgHTpdNI/AAAAAAAADc8/JyEQ8-pcJmsXIntuP-MMdE-pohVncxTXQCLcB/s1600/7-zip-logo.png

Zyka Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Ransom is 170$ or EUR in Bitcoins.

Table 159. Table References

Links

https://id-ransomware.blogspot.co.il/2017/01/zyka-ransomware.html

https://www.pcrisk.com/removal-guides/10899-zyka-ransomware

https://download.bleepingcomputer.com/demonslay335/StupidDecrypter.zip

https://twitter.com/GrujaRS/status/826153382557712385

SureRansom Ransomeware (Fake)

It’s directed to English speaking users, therefore is able to strike worldwide. This ransomware does not really encrypt your files. Ransom requested is £50 using credit card.

Table 160. Table References

Links

https://id-ransomware.blogspot.co.il/2017/01/sureransom-ransomware.html

http://www.forbes.com/sites/leemathews/2017/01/27/fake-ransomware-is-tricking-people-into-paying/#777faed0381c

Netflix Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. This ransomware uses the known online library as a decoy. It poses as Netflix Code generator for Netflix login, but instead encrypts your files. The ransom is 100$ in Bitcoins.

Table 161. Table References

Links

https://id-ransomware.blogspot.co.il/2017/01/netflix-ransomware.html

http://blog.trendmicro.com/trendlabs-security-intelligence/netflix-scam-delivers-ransomware/

https://www.bleepingcomputer.com/news/security/rogue-netflix-app-spreads-netix-ransomware-that-targets-windows-7-and-10-users/

http://www.darkreading.com/attacks-breaches/netflix-scam-spreads-ransomware/d/d-id/1328012

https://4.bp.blogspot.com/-bQQ4DTIClvA/WJCIh6Uq2nI/AAAAAAAADfY/hB5HcjuGgh8rRJKeLHoIRz3Ezth22-wCEw/s1600/form1.jpg[https://4.bp.blogspot.com/-bQQ4DTIClvA/WJCIh6Uq2nI/AAAAAAAADfY/hB5HcjuGgh8rRJKeLHoIRz3Ezth22-wCEw/s1600/form1.jpg]

https://4.bp.blogspot.com/-ZnWdPDprJOg/WJCPeCtP4HI/AAAAAAAADfw/kR0ifI1naSwTAwSuOPiw8ZCPr0tSIz1CgCLcB/s1600/netflix-akk.png

CryptoShield 1.0 Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. CryptoShield 1.0 is a ransomware from the CryptoMixfamily.

Table 162. Table References

Links

https://id-ransomware.blogspot.co.il/2017/01/cryptoshield-ransomware.html

https://www.bleepingcomputer.com/news/security/cryptomix-variant-named-cryptoshield-1-0-ransomware-distributed-by-exploit-kits/

Merry Christmas

It’s directed to English and Italian speaking users, therefore is able to infect worldwide. Most attacks are on organizations and servers. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. They pose as a Consumer complaint notification that’s coming from Federal Trade Commission from USA, with an attached file called “complaint.pdf”. Written in Delphi by hacker MicrRP.

Merry Christmas is also known as:

  • Merry X-Mas

  • MRCR

Table 163. Table References

Links

https://id-ransomware.blogspot.co.il/2016/12/mrcr1-ransomware.html

https://www.bleepingcomputer.com/news/security/-merry-christmas-ransomware-now-steals-user-private-data-via-diamondfox-malware/

http://www.zdnet.com/article/not-such-a-merry-christmas-the-ransomware-that-also-steals-user-data/

https://www.bleepingcomputer.com/news/security/merry-christmas-ransomware-and-its-dev-comodosecurity-not-bringing-holiday-cheer/

https://decrypter.emsisoft.com/mrcr

Seoirse Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Seoirse is how in Ireland people say the name George. Ransom is 0.5 Bitcoins.

Table 164. Table References

Links

https://id-ransomware.blogspot.co.il/2016/12/seoirse-ransomware.html

KillDisk Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Every file is encrypted with a personal AES-key, and then AES-key encrypts with a RSA-1028 key. Hacking by TeleBots (Sandworm). Goes under a fake name: Update center or Microsoft Update center.

Table 165. Table References

Links

https://id-ransomware.blogspot.co.il/2016/12/killdisk-ransomware.html

https://www.bleepingcomputer.com/news/security/killdisk-ransomware-now-targets-linux-prevents-boot-up-has-faulty-encryption/

https://www.bleepingcomputer.com/news/security/killdisk-disk-wiping-malware-adds-ransomware-component/

http://www.zdnet.com/article/247000-killdisk-ransomware-demands-a-fortune-forgets-to-unlock-files/

http://www.securityweek.com/destructive-killdisk-malware-turns-ransomware

http://www.welivesecurity.com/2017/01/05/killdisk-now-targeting-linux-demands-250k-ransom-cant-decrypt/

https://cyberx-labs.com/en/blog/new-killdisk-malware-brings-ransomware-into-industrial-domain/

DeriaLock Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Maker is arizonacode and ransom amount is 20-30$. If the victim decides to pay the ransom, he will have to copy HWID and then speak to the hacker on Skype and forward him the payment.

Table 166. Table References

Links

https://id-ransomware.blogspot.co.il/2016/12/derialock-ransomware.html

https://www.bleepingcomputer.com/news/security/new-derialock-ransomware-active-on-christmas-includes-an-unlock-all-command/

BadEncript Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..

Table 167. Table References

Links

https://id-ransomware.blogspot.co.il/2016/12/badencript-ransomware.html

https://twitter.com/demonslay335/status/813064189719805952

AdamLocker Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. The name of the creator is puff69.

Table 168. Table References

Links

https://id-ransomware.blogspot.co.il/2016/12/adamlocker-ransomware.html

Alphabet Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. This ransomware poses as Windows 10 Critical Update Service. Offers you to update your Windows 10, but instead encrypts your files. For successful attack, the victim must have .NET Framework 4.5.2 installed on him computer.

Table 169. Table References

Links

https://id-ransomware.blogspot.co.il/2016/12/alphabet-ransomware.html

https://twitter.com/PolarToffee/status/812331918633172992

KoKoKrypt Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread by its creator in forums. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files and documents and more. The ransom is 0.1 bitcoins within 72 hours. Uses Windows Update as a decoy. Creator: Talnaci Alexandru

KoKoKrypt Ransomware is also known as:

  • KokoLocker  Ransomware

Table 170. Table References

Links

https://id-ransomware.blogspot.co.il/2016/12/kokokrypt-ransomware.html

http://removevirusadware.com/tips-for-removeing-kokokrypt-ransomware/

L33TAF Locker Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Ransom is 0.5 bitcoins. The name of the creator is staffttt, he also created Fake CryptoLocker

Table 171. Table References

Links

https://id-ransomware.blogspot.co.il/2016/12/l33taf-locker-ransomware.html

PClock4 Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam (for example: “you have a criminal case against you”), fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..

PClock4 Ransomware is also known as:

  • PClock SysGop Ransomware

Table 172. Table References

Links

https://id-ransomware.blogspot.co.il/2016/12/pclock4-sysgop-ransomware.html

Guster Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. This ransomware uses VBS-script to send a voice message as the first few lines of the note.

Table 173. Table References

Links

https://id-ransomware.blogspot.co.il/2016/12/guster-ransomware.html

https://twitter.com/BleepinComputer/status/812131324979007492

Roga

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. The hacker requests the ransom in Play Store cards. https://3.bp.blogspot.com/-ClUef8T55f4/WGKb8U4GeaI/AAAAAAAACzg/UFD0X2sORHYTVRNBSoqd5q7TBrOblQHmgCLcB/s1600/site.png

Table 174. Table References

Links

https://id-ransomware.blogspot.co.il/2016/12/roga-ransomware.html

CryptoLocker3 Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Creator is staffttt and the ransom is 0.5 botcoins.

CryptoLocker3 Ransomware is also known as:

  • Fake CryptoLocker

Table 175. Table References

Links

https://id-ransomware.blogspot.co.il/2016/12/cryptolocker3-ransomware.html

ProposalCrypt Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. The ransom is 1.0 bitcoins.

Table 176. Table References

Links

https://id-ransomware.blogspot.co.il/2016/12/proposalcrypt-ransomware.html

http://www.archersecuritygroup.com/what-is-ransomware/

https://twitter.com/demonslay335/status/812002960083394560

https://twitter.com/malwrhunterteam/status/811613888705859586

Manifestus Ransomware 

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. The hacker demands 0.2 bitcoins. The ransomware poses as a Window update.

Table 177. Table References

Links

https://id-ransomware.blogspot.co.il/2016/12/manifestus-ransomware.html

https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-december-23rd-2016-cryptxxx-koolova-cerber-and-more/

https://twitter.com/struppigel/status/811587154983981056

EnkripsiPC Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. The name of the hacker is humanpuff69 and he requests 0.5 bitcoins. The encryption password is based on the computer name

EnkripsiPC Ransomware is also known as:

  • IDRANSOMv3

  • Manifestus

Table 178. Table References

Links

https://id-ransomware.blogspot.co.il/2016/12/enkripsipc-ransomware.html

https://twitter.com/demonslay335/status/811343914712100872

https://twitter.com/BleepinComputer/status/811264254481494016

https://twitter.com/struppigel/status/811587154983981056

BrainCrypt Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. So far the victims are from Belarus and Germany.

Table 179. Table References

Links

https://id-ransomware.blogspot.co.il/2016/12/braincrypt-ransomware.html

MSN CryptoLocker Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Ransom is 0.2 bitcoins.

Table 180. Table References

Links

https://id-ransomware.blogspot.co.il/2016/12/msn-cryptolocker-ransomware.html

https://twitter.com/struppigel/status/810766686005719040

CryptoBlock Ransomware 

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. The ransom is in the amount is 0.3 bitcoins. The ransomware is disguises themselves as Adobe Systems, Incorporated. RaaS

Table 181. Table References

Links

https://id-ransomware.blogspot.co.il/2016/12/cryptoblock-ransomware.html

https://twitter.com/drProct0r/status/810500976415281154

AES-NI Ransomware 

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..

Table 182. Table References

Links

https://id-ransomware.blogspot.co.il/2016/12/aes-ni-ransomware.html

Koolova Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. The hacker of this ransomware tends to make lots of spelling errors in his requests. With Italian text that only targets the Test folder on the user’s desktop

Table 183. Table References

Links

https://id-ransomware.blogspot.co.il/2016/12/koolova-ransomware.html

https://www.bleepingcomputer.com/news/security/koolova-ransomware-decrypts-for-free-if-you-read-two-articles-about-ransomware/

Fake Globe Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc… The ransom is 1bitcoin.

Fake Globe Ransomware is also known as:

  • Globe Imposter

Table 184. Table References

Links

https://id-ransomware.blogspot.co.il/2016/12/fake-globe-ransomware.html

https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-december-30th-2016-infected-tvs-and-open-source-ransomware-sucks/

https://twitter.com/fwosar/status/812421183245287424

https://decrypter.emsisoft.com/globeimposter

https://twitter.com/malwrhunterteam/status/809795402421641216

V8Locker Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc…

Table 185. Table References

Links

https://id-ransomware.blogspot.co.il/2016/12/v8locker-ransomware.html

Cryptorium (Fake Ransomware)

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It SUPPOSEDLY encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc., however your files are not really encrypted, only the names are changed.

Table 186. Table References

Links

https://id-ransomware.blogspot.co.il/2016/12/cryptorium-ransomware.html

Antihacker2017 Ransomware

It’s directed to Russian speaking users, there fore is able to infect mosty the old USSR countries. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc … The hacker goes by the nickname Antihacker and requests the victim to send him an email for the decryption. He does not request any money only a warning about looking at porn (gay, incest and rape porn to be specific).

Table 187. Table References

Links

https://id-ransomware.blogspot.co.il/2016/12/antihacker2017-ransomware.html

CIA Special Agent 767 Ransomware (FAKE!!!)

It’s directed to English speaking users, therefore is able to infect users all over the world. It is spread using email spam, fake updates, attachments and so on. It SUPPOSEDLY encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc… Your files are not really encrypted and nothing actually happens, however the hacker does ask the victim to pay a sum of 100$, after 5 days the sum goes up to 250$ and thereafter to 500$. After the payment is received, the victim gets the following message informing him that he has been fooled and he simply needed to delete the note. https://4.bp.blogspot.com/-T8iSbbGOz84/WFGZEbuRfCI/AAAAAAAACm0/SO8Srwx2UIM3FPZcZl7W76oSDCsnq2vfgCPcB/s1600/code2.jpg

Table 188. Table References

Links

https://id-ransomware.blogspot.co.il/2016/12/cia-special-agent-767-ransomware.html

https://www.bleepingcomputer.com/virus-removal/remove-cia-special-agent-767-screen-locker

https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-december-16th-2016-samas-no-more-ransom-screen-lockers-and-more/

https://guides.yoosecurity.com/cia-special-agent-767-virus-locks-your-pc-screen-how-to-unlock/

LoveServer Ransomware 

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc… This hacker request your IP address in return for the decryption.

Table 189. Table References

Links

https://id-ransomware.blogspot.co.il/2016/12/loveserver-ransomware.html

Kraken Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc… The hacker requests 2 bitcoins in return for the files.

Table 190. Table References

Links

https://id-ransomware.blogspot.co.il/2016/12/kraken-ransomware.html

Antix Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc… The ransom is 0.25 bitcoins and the nickname of the hacker is FRC 2016.

Table 191. Table References

Links

https://id-ransomware.blogspot.co.il/2016/12/antix-ransomware.html

PayDay Ransomware 

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc… The ransom is R$950 which is due in 5 days. (R$ is a Brazilian currency) Based off of Hidden-Tear

Table 192. Table References

Links

https://id-ransomware.blogspot.co.il/2016/12/payday-ransomware.html

https://twitter.com/BleepinComputer/status/808316635094380544

Slimhem Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is NOT spread using email spam, fake updates, attachments and so on. It simply places a decrypt file on your computer.

Table 193. Table References

Links

https://id-ransomware.blogspot.co.il/2016/12/slimhem-ransomware.html

M4N1F3STO Ransomware (FAKE!!!!!)

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc… FILES DON’T REALLY GET DELETED NOR DO THEY GET ENCRYPTED!!!!!!!

Table 194. Table References

Links

https://id-ransomware.blogspot.co.il/2016/12/m4n1f3sto-ransomware.html

Dale Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc… CHIP > DALE

Dale Ransomware is also known as:

  • DaleLocker Ransomware

UltraLocker Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc… Based on the idiotic open-source ransomware called CryptoWire

Table 195. Table References

Links

https://id-ransomware.blogspot.co.il/2016/12/ultralocker-ransomware.html

https://twitter.com/struppigel/status/807161652663742465

AES_KEY_GEN_ASSIST Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc…

Table 196. Table References

Links

https://id-ransomware.blogspot.co.il/2016/12/aeskeygenassist-ransomware.html

https://id-ransomware.blogspot.co.il/2016/09/dxxd-ransomware.html

https://www.bleepingcomputer.com/forums/t/634258/aes-key-gen-assistprotonmailcom-help-support/

Code Virus Ransomware 

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..

Table 197. Table References

Links

https://id-ransomware.blogspot.co.il/2016/12/code-virus-ransomware.html

FLKR Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..

Table 198. Table References

Links

https://id-ransomware.blogspot.co.il/2016/12/flkr-ransomware.html

PopCorn Time Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. These hackers claim to be students from Syria. This ransomware poses as the popular torrent movie screener called PopCorn. These criminals give you the chance to retrieve your files “for free” by spreading this virus to others. Like shown in the note bellow: https://www.bleepstatic.com/images/news/ransomware/p/Popcorn-time/refer-a-friend.png

Table 199. Table References

Links

https://id-ransomware.blogspot.co.il/2016/12/popcorntime-ransomware.html

https://www.bleepingcomputer.com/news/security/new-scheme-spread-popcorn-time-ransomware-get-chance-of-free-decryption-key/

HackedLocker Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc… NO POINT OF PAYING THE RANSOM—THE HACKER DOES NOT GIVE A DECRYPT AFTERWARDS.

Table 200. Table References

Links

https://id-ransomware.blogspot.co.il/2016/12/hackedlocker-ransomware.html

GoldenEye Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc…

Table 201. Table References

Links

https://id-ransomware.blogspot.co.il/2016/12/goldeneye-ransomware.html

https://www.bleepingcomputer.com/news/security/petya-ransomware-returns-with-goldeneye-version-continuing-james-bond-theme/

https://www.bleepingcomputer.com/forums/t/634778/golden-eye-virus/

Sage Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc…

Table 202. Table References

Links

https://id-ransomware.blogspot.co.il/2016/12/sage-ransomware.html

https://www.bleepingcomputer.com/forums/t/634978/sage-file-sample-extension-sage/

https://www.bleepingcomputer.com/forums/t/634747/sage-20-ransomware-sage-support-help-topic/

SQ_ Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc… This hacker requests 4 bitcoins for ransom.

SQ_ Ransomware is also known as:

  • VO_ Ransomware

Table 203. Table References

Links

https://id-ransomware.blogspot.co.il/2016/12/sq-vo-ransomware.html

Matrix

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc…

Matrix is also known as:

  • Malta Ransomware

Table 204. Table References

Links

https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-december-2nd-2016-screenlockers-kangaroo-the-sfmta-and-more/

https://id-ransomware.blogspot.co.il/2016/12/matrix-ransomware.html

https://twitter.com/rommeljoven17/status/804251901529231360

Satan666 Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..

Table 205. Table References

Links

https://id-ransomware.blogspot.co.il/2016/11/satan666-ransomware.html

RIP (Phoenix) Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Based on HiddenTear

Table 206. Table References

Links

https://id-ransomware.blogspot.co.il/2016/11/rip-ransomware.html

https://twitter.com/BleepinComputer/status/804810315456200704

Locked-In Ransomware or NoValid Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Based on RemindMe

Table 207. Table References

Links

https://id-ransomware.blogspot.co.il/2016/11/novalid-ransomware.html

https://www.bleepingcomputer.com/forums/t/634754/locked-in-ransomware-help-support-restore-corupted-fileshtml/

https://twitter.com/struppigel/status/807169774098796544

Chartwig Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..

Table 208. Table References

Links

https://id-ransomware.blogspot.co.il/2016/11/chartwig-ransomware.html

RenLocker Ransomware (FAKE)

It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. The files don’t actually get encrypted, their names get changed using this formula: [number][.crypter]

Table 209. Table References

Links

https://id-ransomware.blogspot.co.il/2016/11/renlocker-ransomware.html

Thanksgiving Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..

Table 210. Table References

Links

https://id-ransomware.blogspot.co.il/2016/11/thanksgiving-ransomware.html

https://id-ransomware.blogspot.co.il/2016/07/stampado-ransomware-1.html

https://twitter.com/BleepinComputer/status/801486420368093184

CockBlocker Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..

Table 211. Table References

Links

https://id-ransomware.blogspot.co.il/2016/11/cockblocker-ransomware.html

https://twitter.com/jiriatvirlab/status/801910919739674624

Lomix Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Based on the idiotic open-source ransomware called CryptoWire

Table 212. Table References

Links

https://id-ransomware.blogspot.co.il/2016/11/lomix-ransomware.html

https://twitter.com/siri_urz/status/801815087082274816

OzozaLocker Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. https://3.bp.blogspot.com/--jubfYRaRmw/WDaOyZXkAaI/AAAAAAAACQE/E63a4FnaOfACZ07s1xUiv_haxy8cp5YCACLcB/s1600/ozoza2.png

Table 213. Table References

Links

https://id-ransomware.blogspot.co.il/2016/11/ozozalocker-ransomware.html

https://decrypter.emsisoft.com/ozozalocker

https://twitter.com/malwrhunterteam/status/801503401867673603

Crypute Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..

Crypute Ransomware is also known as:

  • m0on Ransomware

Table 214. Table References

Links

https://id-ransomware.blogspot.co.il/2016/11/crypute-ransomware-m0on.html

https://www.bleepingcomputer.com/virus-removal/threat/ransomware/

NMoreira Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..

NMoreira Ransomware is also known as:

  • Fake Maktub Ransomware

Table 215. Table References

Links

https://id-ransomware.blogspot.co.il/2016/11/nmoreira-ransomware.html

https://id-ransomware.blogspot.co.il/2016/10/airacrop-ransomware.html

VindowsLocker Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. The ransom amount is 349.99$ and the hacker seems to be from India. He disguises himself as Microsoft Support.

Table 216. Table References

Links

https://id-ransomware.blogspot.co.il/2016/11/vindowslocker-ransomware.html

https://malwarebytes.app.box.com/s/gdu18hr17mwqszj3hjw5m3sw84k8hlph

https://rol.im/VindowsUnlocker.zip

https://twitter.com/JakubKroustek/status/800729944112427008

https://www.bleepingcomputer.com/news/security/vindowslocker-ransomware-mimics-tech-support-scam-not-the-other-way-around/

Donald Trump 2 Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Here is the original ransomware under this name: http://id-ransomware.blogspot.co.il/2016/09/donald-trump-ransomware.html

Table 217. Table References

Links

http://id-ransomware.blogspot.co.il/2016/09/donald-trump-ransomware.html

https://www.bleepingcomputer.com/news/security/the-donald-trump-ransomware-tries-to-build-walls-around-your-files/

Nagini Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Looks for C:\Temp\voldemort.horcrux

Nagini Ransomware is also known as:

  • Voldemort Ransomware

Table 218. Table References

Links

http://id-ransomware.blogspot.co.il/2016/09/nagini-voldemort-ransomware.html

https://www.bleepingcomputer.com/news/security/the-nagini-ransomware-sics-voldemort-on-your-files/

ShellLocker Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..

Table 219. Table References

Links

https://id-ransomware.blogspot.co.il/2016/11/shelllocker-ransomware.html

https://twitter.com/JakubKroustek/status/799388289337671680

Chip Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..

Chip Ransomware is also known as:

  • ChipLocker Ransomware

Table 220. Table References

Links

https://id-ransomware.blogspot.co.il/2016/11/chip-ransomware.html

http://malware-traffic-analysis.net/2016/11/17/index.html

https://www.bleepingcomputer.com/news/security/rig-e-exploit-kit-now-distributing-new-chip-ransomware/

Dharma Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. CrySiS  > Dharma Note: ATTENTION! At the moment, your system is not protected. We can fix it and restore files. To restore the system write to this address: bitcoin143@india.com. CrySiS variant

Table 221. Table References

Links

https://id-ransomware.blogspot.co.il/2016/11/dharma-ransomware.html

https://www.bleepingcomputer.com/news/security/kaspersky-releases-decryptor-for-the-dharma-ransomware/

Angela Merkel Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..

Table 222. Table References

Links

https://id-ransomware.blogspot.co.il/2016/11/angela-merkel-ransomware.html

https://twitter.com/malwrhunterteam/status/798268218364358656

CryptoLuck Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..

CryptoLuck Ransomware is also known as:

  • YafunnLocker

Table 223. Table References

Links

https://id-ransomware.blogspot.co.il/2016/11/cryptoluck-ransomware.html

http://www.bleepingcomputer.com/news/security/cryptoluck-ransomware-being-malvertised-via-rig-e-exploit-kits/

https://twitter.com/malwareforme/status/798258032115322880

Crypton Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..

Crypton Ransomware is also known as:

  • Nemesis

  • X3M

Table 224. Table References

Links

https://id-ransomware.blogspot.co.il/2016/11/crypton-ransomware.html

https://decrypter.emsisoft.com/crypton

https://www.bleepingcomputer.com/news/security/crypton-ransomware-is-here-and-its-not-so-bad-/

https://twitter.com/JakubKroustek/status/829353444632825856

Karma Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. pretends to be a Windows optimization program called Windows-TuneUp

Table 225. Table References

Links

https://id-ransomware.blogspot.co.il/2016/11/karma-ransomware.html

https://www.bleepingcomputer.com/news/security/researcher-finds-the-karma-ransomware-being-distributed-via-pay-per-install-network/

https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-november-18th-2016-crysis-cryptoluck-chip-and-more/

WickedLocker HT Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..

Table 226. Table References

Links

https://id-ransomware.blogspot.co.il/2016/11/wickedlocker-ht-ransomware.html

PClock3 Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. CryptoLocker Copycat

PClock3 Ransomware is also known as:

  • PClock SuppTeam Ransomware

  • WinPlock

  • CryptoLocker clone

Table 227. Table References

Links

https://www.bleepingcomputer.com/news/security/old-cryptolocker-copycat-named-pclock-resurfaces-with-new-attacks/

https://id-ransomware.blogspot.co.il/2016/11/suppteam-ransomware-sysras.html

http://researchcenter.paloaltonetworks.com/2015/09/updated-pclock-ransomware-still-comes-up-short/

https://decrypter.emsisoft.com/

Kolobo Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..

Kolobo Ransomware is also known as:

  • Kolobocheg Ransomware

Table 228. Table References

Links

https://www.ransomware.wiki/tag/kolobo/

https://id-ransomware.blogspot.co.il/2016/11/kolobo-ransomware.html

https://forum.drweb.com/index.php?showtopic=315142

PaySafeGen (German) Ransomware

This is most likely to affect German speaking users, since the note is written in German. Mostly affects users in German speaking countries. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..

PaySafeGen (German) Ransomware is also known as:

  • Paysafecard Generator 2016

Table 229. Table References

Links

https://id-ransomware.blogspot.co.il/2016/11/paysafegen-german-ransomware.html

https://twitter.com/JakubKroustek/status/796083768155078656

Telecrypt Ransomware

This is most likely to affect Russian speaking users, since the note is written in Russian. Therefore, residents of Russian speaking country are affected. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. The ransomware’s authors would request around $75 from their victims to provide them with a decryptor (payments are accepted via Russian payment services Qiwi or Yandex.Money ). Right from the start, however, researchers suggested that TeleCrypt was written by cybercriminals without advanced skills. Telecrypt will generate a random string to encrypt with that is between 10-20 length and only contain the letters vo,pr,bm,xu,zt,dq.

Table 230. Table References

Links

https://id-ransomware.blogspot.co.il/2016/11/telecrypt-ransomware.html

http://www.securityweek.com/telecrypt-ransomwares-encryption-cracked

https://malwarebytes.app.box.com/s/kkxwgzbpwe7oh59xqfwcz97uk0q05kp3

https://blog.malwarebytes.com/threat-analysis/2016/11/telecrypt-the-ransomware-abusing-telegram-api-defeated/

https://securelist.com/blog/research/76558/the-first-cryptor-to-exploit-telegram/

CerberTear Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..

Table 231. Table References

Links

https://id-ransomware.blogspot.co.il/2016/11/cerbertear-ransomware.html

https://www.tripwire.com/state-of-security/security-data-protection/cyber-security/november-2016-month-ransomware/

https://twitter.com/struppigel/status/795630452128227333

FuckSociety Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. Hidden Tear >> APT Ransomware + HYPERLINK "https://id-ransomware.blogspot.ru/2016/05/remindme-ransomware-2.html" "_blank" RemindMe  > FuckSociety

Table 232. Table References

Links

https://id-ransomware.blogspot.co.il/2016/11/fucksociety-ransomware.html

PayDOS Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. Batch file; Passcode: AES1014DW256 or RSA1014DJW2048

PayDOS Ransomware is also known as:

  • Serpent Ransomware

Table 233. Table References

Links

https://id-ransomware.blogspot.co.il/2016/11/paydos-ransomware-serpent.html

https://www.bleepingcomputer.com/news/security/ransomware-goes-retro-with-paydos-and-serpent-written-as-batch-files/

https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-november-4th-2016-cerber-paydos-alcatraz-locker-and-more/

https://www.proofpoint.com/us/threat-insight/post/new-serpent-ransomware-targets-danish-speakers

zScreenLocker Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..

Table 234. Table References

Links

https://id-ransomware.blogspot.co.il/2016/11/zscreenlocker-ransomware.html

https://www.tripwire.com/state-of-security/security-data-protection/cyber-security/november-2016-month-ransomware/

https://twitter.com/struppigel/status/794077145349967872

Gremit Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..

Table 235. Table References

Links

https://id-ransomware.blogspot.co.il/2016/11/gremit-ransomware.html

https://twitter.com/struppigel/status/794444032286060544

https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-november-4th-2016-cerber-paydos-alcatraz-locker-and-more/

Hollycrypt Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..

Table 236. Table References

Links

https://id-ransomware.blogspot.co.il/2016/11/hollycrypt-ransomware.html

BTCLocker Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..

BTCLocker Ransomware is also known as:

  • BTC Ransomware

Table 237. Table References

Links

https://id-ransomware.blogspot.co.il/2016/11/btclocker-ransomware.html

Kangaroo Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. From the developer behind the Apocalypse Ransomware, Fabiansomware, and Esmeralda

Table 238. Table References

Links

https://id-ransomware.blogspot.co.il/2016/11/kangaroo-ransomware.html

https://www.bleepingcomputer.com/news/security/the-kangaroo-ransomware-not-only-encrypts-your-data-but-tries-to-lock-you-out-of-windows/

DummyEncrypter Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..

Table 239. Table References

Links

https://id-ransomware.blogspot.co.il/2016/11/dummyencrypter-ransomware.html

Encryptss77 Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..

Encryptss77 Ransomware is also known as:

  • SFX Monster Ransomware

Table 240. Table References

Links

http://virusinfo.info/showthread.php?t=201710

https://id-ransomware.blogspot.co.il/2016/11/encryptss77-ransomware.html

WinRarer Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..

Table 241. Table References

Links

https://id-ransomware.blogspot.co.il/2016/11/winrarer-ransomware.html

Russian Globe Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..

Table 242. Table References

Links

https://id-ransomware.blogspot.co.il/2016/11/russian-globe-ransomware.html

ZeroCrypt Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..

Table 243. Table References

Links

https://id-ransomware.blogspot.co.il/2016/11/zerocrypt-ransomware.html

RotorCrypt(RotoCrypt, Tar) Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..

Table 244. Table References

Links

https://id-ransomware.blogspot.co.il/2016/10/rotorcrypt-ransomware.html

Ishtar Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.

Table 245. Table References

Links

https://id-ransomware.blogspot.co.il/2016/10/ishtar-ransomware.html

MasterBuster Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..

Table 246. Table References

Links

https://id-ransomware.blogspot.co.il/2016/10/masterbuster-ransomware.html

https://twitter.com/struppigel/status/791943837874651136

JackPot Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..

JackPot Ransomware is also known as:

  • Jack.Pot Ransomware

Table 247. Table References

Links

https://id-ransomware.blogspot.co.il/2016/10/jackpot-ransomware.html

https://twitter.com/struppigel/status/791639214152617985

https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-october-28-2016-locky-angry-duck-and-more/

ONYX Ransomeware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. Georgian ransomware

Table 248. Table References

Links

https://id-ransomware.blogspot.co.il/2016/10/onyx-ransomware.html

https://twitter.com/struppigel/status/791557636164558848

https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-october-28-2016-locky-angry-duck-and-more/

IFN643 Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..

Table 249. Table References

Links

https://id-ransomware.blogspot.co.il/2016/10/ifn643-ransomware.html

https://twitter.com/struppigel/status/791576159960072192

https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-october-28-2016-locky-angry-duck-and-more/

Alcatraz Locker Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..

Table 250. Table References

Links

https://id-ransomware.blogspot.co.il/2016/10/alcatraz-locker-ransomware.html

https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-november-4th-2016-cerber-paydos-alcatraz-locker-and-more/

https://twitter.com/PolarToffee/status/792796055020642304

Esmeralda Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..

Table 251. Table References

Links

https://id-ransomware.blogspot.co.il/2016/10/esmeralda-ransomware.html

https://www.bleepingcomputer.com/forums/t/630835/esmeralda-ransomware/

EncrypTile Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..

Table 252. Table References

Links

https://id-ransomware.blogspot.co.il/2016/10/encryptile-ransomware.html

Fileice Ransomware Survey Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. Sample of how the hacker tricks the user using the survey method. https://1.bp.blogspot.com/-72ECd1vsUdE/WBMSzPQEgzI/AAAAAAAABzA/i8V-Kg8Gstcn_7-YZK__PDC2VgafWcfDgCLcB/s1600/survey-screen.png The hacker definatly has a sense of humor: https://1.bp.blogspot.com/-2AlvtcvdyUY/WBMVptG_V5I/AAAAAAAABzc/1KvAMeDmY2w9BN9vkqZO8LWkBu7T9mvDACLcB/s1600/ThxForYurTyme.JPG

Table 253. Table References

Links

https://id-ransomware.blogspot.co.il/2016/10/fileice-ransomware-survey.html

https://www.bleepingcomputer.com/news/security/in-dev-ransomware-forces-you-do-to-survey-before-unlocking-computer/

CryptoWire Ransomeware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..

Table 254. Table References

Links

https://id-ransomware.blogspot.co.il/2016/10/cryptowire-ransomware.html

https://twitter.com/struppigel/status/791554654664552448

https://www.bleepingcomputer.com/news/security/-proof-of-concept-cryptowire-ransomware-spawns-lomix-and-ultralocker-families/

Hucky Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. Based on Locky

Hucky Ransomware is also known as:

  • Hungarian Locky Ransomware

Table 255. Table References

Links

https://id-ransomware.blogspot.co.il/2016/10/hucky-ransomware-hungarian-locky.html

https://blog.avast.com/hucky-ransomware-a-hungarian-locky-wannabe

https://twitter.com/struppigel/status/846241982347427840

Winnix Cryptor Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..

Table 256. Table References

Links

https://id-ransomware.blogspot.co.il/2016/10/winnix-cryptor-ransomware.html

https://twitter.com/PolarToffee/status/811940037638111232

AngryDuck Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. Demands 10 BTC

Table 257. Table References

Links

https://id-ransomware.blogspot.co.il/2016/10/angryduck-ransomware.html

https://twitter.com/demonslay335/status/790334746488365057

Lock93 Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..

Table 258. Table References

Links

https://id-ransomware.blogspot.co.il/2016/10/lock93-ransomware.html

https://twitter.com/malwrhunterteam/status/789882488365678592

ASN1 Encoder Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..

Table 259. Table References

Links

https://id-ransomware.blogspot.co.il/2016/10/asn1-encoder-ransomware.html

https://malwarebreakdown.com/2017/03/02/rig-ek-at-92-53-105-43-drops-asn1-ransomware/

Click Me Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. The hacker tries to get the user to play a game and when the user clicks the button, there is no game, just 20 pictures in a .gif below: https://3.bp.blogspot.com/-1zgO3-bBazs/WAkPYqXuayI/AAAAAAAABxI/DO3vycRW-TozneSfRTdeKyXGNEtJSMehgCLcB/s1600/all-images.gif

Table 260. Table References

Links

https://id-ransomware.blogspot.co.il/2016/10/click-me-ransomware.html

https://www.youtube.com/watch?v=Xe30kV4ip8w

AiraCrop Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..

Table 261. Table References

Links

https://id-ransomware.blogspot.co.il/2016/10/airacrop-ransomware.html

JapanLocker Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. Base64 encoding, ROT13, and top-bottom swapping

JapanLocker Ransomware is also known as:

  • SHC Ransomware

  • SHCLocker

  • SyNcryption

Table 262. Table References

Links

https://id-ransomware.blogspot.co.il/2016/10/japanlocker-ransomware.html

https://www.cyber.nj.gov/threat-profiles/ransomware-variants/japanlocker

https://github.com/fortiguard-lion/schRansomwareDecryptor/blob/master/schRansomwarev1_decryptor.php

https://blog.fortinet.com/2016/10/19/japanlocker-an-excavation-to-its-indonesian-roots

Anubis Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. EDA2

Table 263. Table References

Links

https://id-ransomware.blogspot.co.il/2016/10/anubis-ransomware.html

http://nyxbone.com/malware/Anubis.html

XTPLocker 5.0 Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..

Table 264. Table References

Links

https://id-ransomware.blogspot.co.il/2016/10/xtplocker-ransomware.html

Exotic Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. Also encrypts executables

Table 265. Table References

Links

https://www.bleepingcomputer.com/news/security/eviltwins-exotic-ransomware-targets-executable-files/

https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-october-14-2016-exotic-lockydump-comrade-and-more/

https://www.cyber.nj.gov/threat-profiles/ransomware-variants/exotic-ransomware

https://id-ransomware.blogspot.co.il/2016/10/exotic-ransomware.html

APT Ransomware v.2

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. NO POINT TO PAY THE RANSOM, THE FILES ARE COMPLETELY DESTROYED

Table 266. Table References

Links

https://id-ransomware.blogspot.co.il/2016/10/apt-ransomware-2.html

Windows_Security Ransonware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..

Windows_Security Ransonware is also known as:

  • WS Go Ransonware

  • Trojan.Encoder.6491

Table 267. Table References

Links

https://id-ransomware.blogspot.co.il/2016/10/ws-go-ransonware.html

https://www.cyber.nj.gov/threat-profiles/ransomware-variants/apt-ransomware-v2

NCrypt Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..

Table 268. Table References

Links

https://id-ransomware.blogspot.co.il/2016/10/ncrypt-ransomware.html

Venis Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. In devVenisRansom@protonmail.com

Table 269. Table References

Links

https://id-ransomware.blogspot.co.il/2016/10/venis-ransomware.html

https://twitter.com/Antelox/status/785849412635521024

http://pastebin.com/HuK99Xmj

Enigma 2 Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..

Table 270. Table References

Links

https://id-ransomware.blogspot.co.il/2016/10/enigma-2-ransomware.html

Deadly Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. sample is set to encrypt only in 2017…​

Deadly Ransomware is also known as:

  • Deadly for a Good Purpose Ransomware

Table 271. Table References

Links

https://id-ransomware.blogspot.co.il/2016/10/deadly-ransomware.html

https://twitter.com/malwrhunterteam/status/785533373007728640

Comrade Circle Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..

Table 272. Table References

Links

https://id-ransomware.blogspot.co.il/2016/10/comrade-circle-ransomware.html

Globe2 Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..

Globe2 Ransomware is also known as:

  • Purge Ransomware

Table 273. Table References

Links

https://id-ransomware.blogspot.co.il/2016/10/globe2-ransomware.html

https://success.trendmicro.com/portal_kb_articledetail?solutionid=1114221

Kostya Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..

Table 274. Table References

Links

https://id-ransomware.blogspot.co.il/2016/10/kostya-ransomware.html

http://www.bleepingcomputer.com/news/security/the-week-in-ransomware-october-14-2016-exotic-lockydump-comrade-and-more/

Fs0ciety Locker Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..

Table 275. Table References

Links

https://id-ransomware.blogspot.co.il/2016/10/fs0ciety-locker-ransomware.htm

Erebus Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. After the files are decrypted, the shadow files are deleted using the following command: vssadmin.exe Delete Shadows /All /Quiet

Table 276. Table References

Links

https://id-ransomware.blogspot.co.il/2016/09/erebus-ransomware.html

WannaCry

According to numerous open-source reports, a widespread ransomware campaign is affecting various organizations with reports of tens of thousands of infections in as many as 74 countries, including the United States, United Kingdom, Spain, Russia, Taiwan, France, and Japan. The software can run in as many as 27 different languages. The latest version of this ransomware variant, known as WannaCry, WCry, or Wanna Decryptor, was discovered the morning of May 12, 2017, by an independent security researcher and has spread rapidly over several hours, with initial reports beginning around 4:00 AM EDT, May 12, 2017. Open-source reporting indicates a requested ransom of .1781 bitcoins, roughly $300 U.S.

WannaCry is also known as:

  • WannaCrypt

  • WannaCry

  • WanaCrypt0r

  • WCrypt

  • WCRY

Table 277. Table References

Links

https://gist.github.com/rain-1/989428fa5504f378b993ee6efbc0b168

.CryptoHasYou.

Ransomware

Table 278. Table References

Links

http://www.nyxbone.com/malware/CryptoHasYou.html

777

Ransomware

777 is also known as:

  • Sevleg

Table 279. Table References

Links

https://decrypter.emsisoft.com/777

8lock8

Ransomware Based on HiddenTear

Table 281. Table References

Links

http://www.bleepingcomputer.com/forums/t/614025/8lock8-help-support-topic-8lock8-read-ittxt/

AiraCrop

Ransomware related to TeamXRat

Table 282. Table References

Links

https://twitter.com/PolarToffee/status/796079699478900736

Al-Namrood

Ransomware

Table 283. Table References

Links

https://decrypter.emsisoft.com/al-namrood

Alma Ransomware

Ransomware

Table 285. Table References

Links

https://cta-service-cms2.hubspot.com/ctas/v2/public/cs/c/?cta_guid=d4173312-989b-4721-ad00-8308fff353b3&placement_guid=22f2fe97-c748-4d6a-9e1e-ba3fb1060abe&portal_id=326665&redirect_url=APefjpGnqFjmP_xzeUZ1Y55ovglY1y1ch7CgMDLit5GTHcW9N0ztpnIE-ZReqqv8MDj687_4Joou7Cd2rSx8-De8uhFQAD_Len9QpT7Xvu8neW5drkdtTPV7hAaou0osAi2O61dizFXibewmpO60UUCd5OazCGz1V6yT_3UFMgL0x9S1VeOvoL_ucuER8g2H3f1EfbtYBw5QFWeUmrjk-9dGzOGspyn303k9XagBtF3SSX4YWSyuEs03Vq7Fxb04KkyKc4GJx-igK98Qta8iMafUam8ikg8XKPkob0FK6Pe-wRZ0QVWIIkM&hsutk=34612af1cd87864cf7162095872571d1&utm_referrer=https%3A%2F%2Finfo.phishlabs.com%2Fblog%2Falma-ransomware-analysis-of-a-new-ransomware-threat-and-a-decrypter&canon=https%3A%2F%2Finfo.phishlabs.com%2Fblog%2Falma-ransomware-analysis-of-a-new-ransomware-threat-and-a-decrypter&;hstc=61627571.34612af1cd87864cf7162095872571d1.1472135921345.1472140656779.1472593507113.3&hssc=61627571.1.1472593507113&hsfp=1114323283[https://cta-service-cms2.hubspot.com/ctas/v2/public/cs/c/?cta_guid=d4173312-989b-4721-ad00-8308fff353b3&placement_guid=22f2fe97-c748-4d6a-9e1e-ba3fb1060abe&portal_id=326665&redirect_url=APefjpGnqFjmP_xzeUZ1Y55ovglY1y1ch7CgMDLit5GTHcW9N0ztpnIE-ZReqqv8MDj687_4Joou7Cd2rSx8-De8uhFQAD_Len9QpT7Xvu8neW5drkdtTPV7hAaou0osAi2O61dizFXibewmpO60UUCd5OazCGz1V6yT_3UFMgL0x9S1VeOvoL_ucuER8g2H3f1EfbtYBw5QFWeUmrjk-9dGzOGspyn303k9XagBtF3SSX4YWSyuEs03Vq7Fxb04KkyKc4GJx-igK98Qta8iMafUam8ikg8XKPkob0FK6Pe-wRZ0QVWIIkM&hsutk=34612af1cd87864cf7162095872571d1&utm_referrer=https%3A%2F%2Finfo.phishlabs.com%2Fblog%2Falma-ransomware-analysis-of-a-new-ransomware-threat-and-a-decrypter&canon=https%3A%2F%2Finfo.phishlabs.com%2Fblog%2Falma-ransomware-analysis-of-a-new-ransomware-threat-and-a-decrypter&;hstc=61627571.34612af1cd87864cf7162095872571d1.1472135921345.1472140656779.1472593507113.3&hssc=61627571.1.1472593507113&hsfp=1114323283]

https://info.phishlabs.com/blog/alma-ransomware-analysis-of-a-new-ransomware-threat-and-a-decrypter

http://www.bleepingcomputer.com/news/security/new-alma-locker-ransomware-being-distributed-via-the-rig-exploit-kit/

AMBA

Ransomware Websites only amba@riseup.net

Table 287. Table References

Links

https://twitter.com/benkow_/status/747813034006020096

AngleWare

Ransomware

Table 288. Table References

Links

https://twitter.com/BleepinComputer/status/844531418474708993

Anony

Ransomware Based on HiddenTear

Anony is also known as:

  • ngocanh

Table 289. Table References

Links

https://twitter.com/struppigel/status/842047409446387714

ApocalypseVM

Ransomware Apocalypse ransomware version which uses VMprotect

Table 291. Table References

Links

http://decrypter.emsisoft.com/download/apocalypsevm

AutoLocky

Ransomware

Table 292. Table References

Links

https://decrypter.emsisoft.com/autolocky

Aw3s0m3Sc0t7

Ransomware

Table 293. Table References

Links

https://twitter.com/struppigel/status/828902907668000770

BitCryptor

Ransomware Has a GUI. CryptoGraphic Locker family. Newer CoinVault variant.

Table 298. Table References

Links

https://noransom.kaspersky.com/

BlackShades Crypter

Ransomware

BlackShades Crypter is also known as:

  • SilentShade

Table 300. Table References

Links

http://nyxbone.com/malware/BlackShades.html

Booyah

Ransomware EXE was replaced to neutralize threat

Booyah is also known as:

  • Salami

Browlock

Ransomware no local encryption, browser only

Bucbi

Ransomware no file name change, no extension

Table 306. Table References

Links

http://researchcenter.paloaltonetworks.com/2016/05/unit42-bucbi-ransomware-is-back-with-a-ukrainian-makeover/

BuyUnlockCode

Ransomware Does not delete Shadow Copies

Clock

Ransomware Does not encrypt anything

Table 310. Table References

Links

https://twitter.com/JakubKroustek/status/794956809866018816

CoinVault

Ransomware CryptoGraphic Locker family. Has a GUI. Do not confuse with CrypVault!

Table 311. Table References

Links

https://noransom.kaspersky.com/

Cryaki

Ransomware

Table 313. Table References

Links

https://support.kaspersky.com/viruses/disinfection/8547

Crybola

Ransomware

Table 314. Table References

Links

https://support.kaspersky.com/viruses/disinfection/8547

CryFile

Ransomware

Table 315. Table References

Links

SHTODELATVAM.txt[SHTODELATVAM.txt]

Instructionaga.txt[Instructionaga.txt]

CryLocker

Ransomware Identifies victim locations w/Google Maps API

CryLocker is also known as:

  • Cry

  • CSTO

  • Central Security Treatment Organization

Table 316. Table References

Links

http://www.bleepingcomputer.com/news/security/the-crylocker-ransomware-communicates-using-udp-and-stores-data-on-imgur-com/

Crypter

Ransomware Does not actually encrypt the files, but simply renames them

Table 320. Table References

Links

https://twitter.com/jiriatvirlab/status/802554159564062722

CryptInfinite

Ransomware

Table 322. Table References

Links

https://decrypter.emsisoft.com/

CryptoDefense

Ransomware no extension change

Table 324. Table References

Links

https://decrypter.emsisoft.com/

CryptoFortress

Ransomware Mimics Torrentlocker. Encrypts only 50% of each file up to 5 MB

CryptoGraphic Locker

Ransomware Has a GUI. Subvariants: CoinVault BitCryptor

CryptoHost

Ransomware RAR’s victim’s files has a GUI

CryptoHost is also known as:

  • Manamecrypt

  • Telograph

  • ROI Locker

Table 326. Table References

Links

http://www.bleepingcomputer.com/news/security/cryptohost-decrypted-locks-files-in-a-password-protected-rar-file/

CryptoJoker

Ransomware

CryptoShadow

Ransomware

Table 333. Table References

Links

https://twitter.com/struppigel/status/821992610164277248

CryptoWall 1

Ransomware

CryptoWall 2

Ransomware

CryptoWall 4

Ransomware

CryptXXX

Ransomware Comes with Bedep

CryptXXX is also known as:

  • CryptProjectXXX

Table 338. Table References

Links

https://support.kaspersky.com/viruses/disinfection/8547

http://www.bleepingcomputer.com/virus-removal/cryptxxx-ransomware-help-information

CTB-Faker

Ransomware

CTB-Faker is also known as:

  • Citroni

CuteRansomware

Ransomware Based on my-Little-Ransomware

CuteRansomware is also known as:

  • my-Little-Ransomware

Table 344. Table References

Links

https://github.com/aaaddress1/my-Little-Ransomware/tree/master/decryptoTool

https://github.com/aaaddress1/my-Little-Ransomware

Cyber SpLiTTer Vbs

Ransomware Based on HiddenTear

Cyber SpLiTTer Vbs is also known as:

  • CyberSplitter

Table 345. Table References

Links

https://twitter.com/struppigel/status/778871886616862720

https://twitter.com/struppigel/status/806758133720698881

Demo

Ransomware only encrypts .jpg files

Table 349. Table References

Links

https://twitter.com/struppigel/status/798573300779745281

DetoxCrypto

Ransomware - Based on Detox: Calipso, We are all Pokemons, Nullbyte

Table 350. Table References

Links

http://www.bleepingcomputer.com/news/security/new-detoxcrypto-ransomware-pretends-to-be-pokemongo-or-uploads-a-picture-of-your-screen/

Digisom

Ransomware

Table 351. Table References

Links

https://twitter.com/PolarToffee/status/829727052316160000

DirtyDecrypt

Ransomware

Table 352. Table References

Links

https://twitter.com/demonslay335/status/752586334527709184

DMALocker

Ransomware no extension change Encrypted files have prefix: Version 1: ABCXYZ11 - Version 2: !DMALOCK - Version 3: !DMALOCK3.0 - Version 4: !DMALOCK4.0

Table 353. Table References

Links

https://decrypter.emsisoft.com/

https://github.com/hasherezade/dma_unlocker

https://drive.google.com/drive/folders/0Bzb5kQFOXkiSMm94QzdyM3hCdDg

https://blog.malwarebytes.org/threat-analysis/2016/02/dma-locker-a-new-ransomware-but-no-reason-to-panic/

DNRansomware

Ransomware Code to decrypt: 83KYG9NW-3K39V-2T3HJ-93F3Q-GT

Table 355. Table References

Links

https://twitter.com/BleepinComputer/status/822500056511213568

DummyLocker

Ransomware

Table 358. Table References

Links

https://twitter.com/struppigel/status/794108322932785158

HiddenTear

Ransomware Open sourced C#

HiddenTear is also known as:

  • Cryptear

  • EDA2

Table 360. Table References

Links

http://www.utkusen.com/blog/dealing-with-script-kiddies-cryptear-b-incident.html

EduCrypt

Ransomware Based on Hidden Tear

EduCrypt is also known as:

  • EduCrypter

Table 361. Table References

Links

http://www.filedropper.com/decrypter_1

https://twitter.com/JakubKroustek/status/747031171347910656

El-Polocker

Ransomware Has a GUI

El-Polocker is also known as:

  • Los Pollos Hermanos

encryptoJJS

Ransomware

Enjey

Ransomware Based on RemindMe

Table 365. Table References

Links

https://twitter.com/malwrhunterteam/status/839022018230112256

Fakben

Ransomware Based on Hidden Tear

Table 367. Table References

Links

https://blog.fortinet.com/post/fakben-team-ransomware-uses-open-source-hidden-tear-code

Fantom

Ransomware Based on EDA2

Fantom is also known as:

  • Comrad Circle

Table 369. Table References

Links

http://www.bleepingcomputer.com/news/security/fantom-ransomware-encrypts-your-files-while-pretending-to-be-windows-update/

FILE FROZR

Ransomware RaaS

Table 371. Table References

Links

https://twitter.com/rommeljoven17/status/846973265650335744

FileLocker

Ransomware

Table 372. Table References

Links

https://twitter.com/jiriatvirlab/status/836616468775251968

Flyper

Ransomware Based on EDA2 / HiddenTear

Table 374. Table References

Links

https://twitter.com/malwrhunterteam/status/773771485643149312

Fonco

Ransomware contact email safefiles32@mail.ru also as prefix in encrypted file contents

FortuneCookie

Ransomware

Table 375. Table References

Links

https://twitter.com/struppigel/status/842302481774321664

Free-Freedom

Ransomware Unlock code is: adam or adamdude9

Free-Freedom is also known as:

  • Roga

Table 376. Table References

Links

https://twitter.com/BleepinComputer/status/812135608374226944

Fury

Ransomware

Table 378. Table References

Links

https://support.kaspersky.com/viruses/disinfection/8547

Gingerbread

Ransomware

Table 380. Table References

Links

https://twitter.com/ni_fi_70/status/796353782699425792

GNL Locker

Ransomware Only encrypts DE or NL country. Variants, from old to latest: Zyklon Locker, WildFire locker, Hades Locker

Table 382. Table References

Links

http://www.bleepingcomputer.com/forums/t/611342/gnl-locker-support-and-help-topic-locked-and-unlock-files-instructionshtml/

Gomasom

Ransomware

Table 383. Table References

Links

https://decrypter.emsisoft.com/

Gopher

Ransomware OS X ransomware (PoC)

Hacked

Ransomware Jigsaw Ransomware variant

Table 385. Table References

Links

https://twitter.com/demonslay335/status/806878803507101696

HappyDayzz

Ransomware

Table 386. Table References

Links

https://twitter.com/malwrhunterteam/status/847114064224497666

Harasom

Ransomware

Table 387. Table References

Links

https://decrypter.emsisoft.com/

HDDCryptor

Ransomware Uses https://diskcryptor.net for full disk encryption

HDDCryptor is also known as:

  • Mamba

Table 388. Table References

Links

https://www.linkedin.com/pulse/mamba-new-full-disk-encryption-ransomware-family-member-marinho

blog.trendmicro.com/trendlabs-security-intelligence/bksod-by-ransomware-hddcryptor-uses-commercial-tools-to-encrypt-network-shares-and-lock-hdds/[blog.trendmicro.com/trendlabs-security-intelligence/bksod-by-ransomware-hddcryptor-uses-commercial-tools-to-encrypt-network-shares-and-lock-hdds/]

Heimdall

Ransomware File marker: "Heimdall---"

Table 389. Table References

Links

https://www.bleepingcomputer.com/news/security/heimdall-open-source-php-ransomware-targets-web-servers/

Help_dcfile

Ransomware

Hi Buddy!

Ransomware Based on HiddenTear

Table 391. Table References

Links

http://www.nyxbone.com/malware/hibuddy.html

HTCryptor

Ransomware Includes a feature to disable the victim’s windows firewall Modified in-dev HiddenTear

Table 394. Table References

Links

https://twitter.com/BleepinComputer/status/803288396814839808

iLock

Ransomware

Table 396. Table References

Links

https://twitter.com/BleepinComputer/status/817085367144873985

iLockLight

Ransomware

International Police Association

Ransomware CryptoTorLocker2015 variant

Table 397. Table References

Links

http://download.bleepingcomputer.com/Nathan/StopPirates_Decrypter.exe

iRansom

Ransomware

Table 398. Table References

Links

https://twitter.com/demonslay335/status/796134264744083460

JagerDecryptor

Ransomware Prepends filenames

Table 399. Table References

Links

https://twitter.com/JakubKroustek/status/757873976047697920

Jeiphoos

Ransomware Windows, Linux. Campaign stopped. Actor claimed he deleted the master key.

Jeiphoos is also known as:

  • Encryptor RaaS

  • Sarento

Table 400. Table References

Links

http://www.nyxbone.com/malware/RaaS.html

http://blog.trendmicro.com/trendlabs-security-intelligence/the-rise-and-fall-of-encryptor-raas/

Jhon Woddy

Ransomware Same codebase as DNRansomware Lock screen password is M3VZ>5BwGGVH

Table 401. Table References

Links

https://download.bleepingcomputer.com/demonslay335/DoNotOpenDecrypter.zip

https://twitter.com/BleepinComputer/status/822509105487245317

JohnyCryptor

Ransomware

KawaiiLocker

Ransomware

Table 404. Table References

Links

https://safezone.cc/resources/kawaii-decryptor.195/

KeyBTC

Ransomware

Table 406. Table References

Links

https://decrypter.emsisoft.com/

KillerLocker

Ransomware Possibly Portuguese dev

Table 408. Table References

Links

https://twitter.com/malwrhunterteam/status/782232299840634881

Korean

Ransomware Based on HiddenTear

Table 410. Table References

Links

http://www.nyxbone.com/malware/koreanRansom.html

KryptoLocker

Ransomware Based on HiddenTear

LanRan

Ransomware Variant of open-source MyLittleRansomware

Table 413. Table References

Links

https://twitter.com/struppigel/status/847689644854595584

LeChiffre

Ransomware Encrypts first 0x2000 and last 0x2000 bytes. Via remote attacker

Table 414. Table References

Links

https://decrypter.emsisoft.com/lechiffre

https://blog.malwarebytes.org/threat-analysis/2016/01/lechiffre-a-manually-run-ransomware/

Lick

Ransomware Variant of Kirk

Table 415. Table References

Links

https://twitter.com/JakubKroustek/status/842404866614038529

Linux.Encoder

Ransomware Linux Ransomware

Linux.Encoder is also known as:

  • Linux.Encoder.{0,3}

Table 416. Table References

Links

https://labs.bitdefender.com/2015/11/linux-ransomware-debut-fails-on-predictable-encryption-key/

LK Encryption

Ransomware Based on HiddenTear

Table 417. Table References

Links

https://twitter.com/malwrhunterteam/status/845183290873044994

LLTP Locker

Ransomware Targeting Spanish speaking victims

Table 418. Table References

Links

https://www.bleepingcomputer.com/news/security/new-lltp-ransomware-appears-to-be-a-rewritten-venus-locker/

Lortok

Ransomware

LowLevel04

Ransomware Prepends filenames

M4N1F3STO

Ransomware Does not encrypt Unlock code=suckmydicknigga

Table 422. Table References

Links

https://twitter.com/jiriatvirlab/status/808015275367002113

Mabouia

Ransomware OS X ransomware (PoC)

MacAndChess

Ransomware Based on HiddenTear

Magic

Ransomware Based on EDA2

Meister

Ransomware Targeting French victims

Table 425. Table References

Links

https://twitter.com/siri_urz/status/840913419024945152

Meteoritan

Ransomware

Table 426. Table References

Links

https://twitter.com/malwrhunterteam/status/844614889620561924

MireWare

Ransomware Based on HiddenTear

Mischa

Ransomware Packaged with Petya PDFBewerbungsmappe.exe

Mischa is also known as:

  • "Petya’s little brother"

Table 428. Table References

Links

http://www.bleepingcomputer.com/news/security/petya-is-back-and-with-a-friend-named-mischa-ransomware/

MM Locker

Ransomware Based on EDA2

MM Locker is also known as:

  • Booyah

Table 429. Table References

Links

https://www.proofpoint.com/us/threat-insight/post/ransomware-explosion-continues-cryptflle2-brlock-mm-locker-discovered

Monument

Ransomware Use the DarkLocker 5 porn screenlocker - Jigsaw variant

Table 431. Table References

Links

https://twitter.com/malwrhunterteam/status/844826339186135040

NanoLocker

Ransomware no extension change, has a GUI

Table 434. Table References

Links

http://github.com/Cyberclues/nanolocker-decryptor

Netix

Ransomware

Netix is also known as:

  • RANSOM_NETIX.A

Table 436. Table References

Links

http://blog.trendmicro.com/trendlabs-security-intelligence/netflix-scam-delivers-ransomware/

Nhtnwcuf

Ransomware Does not encrypt the files / Files are destroyed

Table 437. Table References

Links

https://twitter.com/demonslay335/status/839221457360195589

NMoreira

Ransomware

NMoreira is also known as:

  • XRatTeam

  • XPan

Table 438. Table References

Links

https://decrypter.emsisoft.com/nmoreira

https://twitter.com/fwosar/status/803682662481174528

Nuke

Ransomware

Offline ransomware

Ransomware email addresses overlap with .777 addresses

Offline ransomware is also known as:

  • Vipasana

  • Cryakl

Table 442. Table References

Links

https://support.kaspersky.com/viruses/disinfection/8547

http://bartblaze.blogspot.com.co/2016/02/vipasana-ransomware-new-ransom-on-block.html

OMG! Ransomware

Ransomware

OMG! Ransomware is also known as:

  • GPCode

Owl

Ransomware

Owl is also known as:

  • CryptoWire

Table 444. Table References

Links

https://twitter.com/JakubKroustek/status/842342996775448576

Padlock Screenlocker

Ransomware Unlock code is: ajVr/G\ RJz0R

Table 446. Table References

Links

https://twitter.com/BleepinComputer/status/811635075158839296

Philadelphia

Ransomware Coded by "The_Rainmaker"

Table 449. Table References

Links

https://decrypter.emsisoft.com/philadelphia

www.bleepingcomputer.com/news/security/the-philadelphia-ransomware-offers-a-mercy-button-for-compassionate-criminals/[www.bleepingcomputer.com/news/security/the-philadelphia-ransomware-offers-a-mercy-button-for-compassionate-criminals/]

PowerWorm

Ransomware no decryption possible, throws key away, destroys the files

Ps2exe

Ransomware

Table 456. Table References

Links

https://twitter.com/jiriatvirlab/status/803297700175286273

R

Ransomware

Table 457. Table References

Links

https://twitter.com/malwrhunterteam/status/846705481741733892

R980

Ransomware

Table 458. Table References

Links

https://otx.alienvault.com/pulse/57976b52b900fe01376feb01/

Rabion

Ransomware RaaS Copy of Ranion RaaS

Table 460. Table References

Links

https://twitter.com/CryptoInsane/status/846181140025282561

Rakhni

Ransomware Files might be partially encrypted

Rakhni is also known as:

  • Agent.iih

  • Aura

  • Autoit

  • Pletor

  • Rotor

  • Lamer

  • Isda

  • Cryptokluchen

  • Bandarchor

Table 462. Table References

Links

https://support.kaspersky.com/us/viruses/disinfection/10556

Ramsomeer

Ransomware Based on the DUMB ransomware

Rannoh

Ransomware

Table 463. Table References

Links

https://support.kaspersky.com/viruses/disinfection/8547

Ransom32

Ransomware no extension change, Javascript Ransomware

RansomLock

Ransomware Locks the desktop

Table 466. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2009-041513-1400-99&tabid=2

RarVault

Ransomware

Rector

Ransomware

Table 468. Table References

Links

https://support.kaspersky.com/viruses/disinfection/4264

RektLocker

Ransomware

Table 469. Table References

Links

https://support.kaspersky.com/viruses/disinfection/4264

Rokku

Ransomware possibly related with Chimera

Table 471. Table References

Links

https://blog.malwarebytes.org/threat-analysis/2016/04/rokku-ransomware/

RoshaLock

Ransomware Stores your files in a password protected RAR file

Table 472. Table References

Links

https://twitter.com/siri_urz/status/842452104279134209

Runsomewere

Ransomware Based on HT/EDA2 Utilizes the Jigsaw Ransomware background

Table 473. Table References

Links

https://twitter.com/struppigel/status/801812325657440256

RussianRoulette

Ransomware Variant of the Philadelphia ransomware

Table 474. Table References

Links

https://twitter.com/struppigel/status/823925410392080385

SADStory

Ransomware Variant of CryPy

Table 475. Table References

Links

https://twitter.com/malwrhunterteam/status/845356853039190016

Sage 2.2

Ransomware Sage 2.2 deletes volume snapshots through vssadmin.exe, disables startup repair, uses process wscript.exe to execute a VBScript, and coordinates the execution of scheduled tasks via schtasks.exe.

Table 476. Table References

Links

https://malwarebreakdown.com/2017/03/16/sage-2-2-ransomware-from-good-man-gate

https://malwarebreakdown.com/2017/03/10/finding-a-good-man/

Samas-Samsam

Ransomware Targeted attacks -Jexboss -PSExec -Hyena

Samas-Samsam is also known as:

  • samsam.exe

  • MIKOPONI.exe

  • RikiRafael.exe

  • showmehowto.exe

Table 477. Table References

Links

https://download.bleepingcomputer.com/demonslay335/SamSamStringDecrypter.zip

http://blog.talosintel.com/2016/03/samsam-ransomware.html

http://www.intelsecurity.com/advanced-threat-research/content/Analysis_SamSa_Ransomware.pdf

Sanction

Ransomware Based on HiddenTear, but heavily modified keygen

Sardoninir

Ransomware

Table 479. Table References

Links

https://twitter.com/BleepinComputer/status/835955409953357825

Serpico

Ransomware DetoxCrypto Variant

Table 482. Table References

Links

http://www.nyxbone.com/malware/Serpico.html

Smrss32

Ransomware

Sport

Ransomware

Strictor

Ransomware Based on EDA2, shows Guy Fawkes mask

Table 491. Table References

Links

http://www.nyxbone.com/malware/Strictor.html

Surprise

Ransomware Based on EDA2

Survey

Ransomware Still in development, shows FileIce survey

Table 492. Table References

Links

http://www.bleepingcomputer.com/news/security/in-dev-ransomware-forces-you-do-to-survey-before-unlocking-computer/

SynoLocker

Ransomware Exploited Synology NAS firmware directly over WAN

Threat Finder

Ransomware Files cannot be decrypted Has a GUI

TorrentLocker

Ransomware Newer variants not decryptable. Only first 2 MB are encrypted

TorrentLocker is also known as:

  • Crypt0L0cker

  • CryptoFortress

  • Teerac

Table 499. Table References

Links

http://www.bleepingcomputer.com/forums/t/547708/torrentlocker-ransomware-cracked-and-decrypter-has-been-made/

https://twitter.com/PolarToffee/status/804008236600934403

http://blog.talosintelligence.com/2017/03/crypt0l0cker-torrentlocker-old-dog-new.html

Toxcrypt

Ransomware

Turkish

Ransomware

Table 504. Table References

Links

https://twitter.com/struppigel/status/821991600637313024

Turkish Ransom

Ransomware

Table 505. Table References

Links

http://www.nyxbone.com/malware/turkishRansom.html

UmbreCrypt

Ransomware CrypBoss Family

Table 506. Table References

Links

http://www.thewindowsclub.com/emsisoft-decrypter-hydracrypt-umbrecrypt-ransomware

Ungluk

Ransomware Ransom note instructs to use Bitmessage to get in contact with attacker - Secretishere.key - SECRETISHIDINGHEREINSIDE.KEY - secret.key

Unlock92

Ransomware

Table 508. Table References

Links

https://twitter.com/malwrhunterteam/status/839038399944224768

VapeLauncher

Ransomware CryptoWire variant

Table 509. Table References

Links

https://twitter.com/struppigel/status/839771195830648833

VaultCrypt

Ransomware

VaultCrypt is also known as:

  • CrypVault

  • Zlader

Table 510. Table References

Links

http://www.nyxbone.com/malware/russianRansom.html

VBRANSOM 7

Ransomware

Table 511. Table References

Links

https://twitter.com/BleepinComputer/status/817851339078336513

WildFire Locker

Ransomware Zyklon variant

WildFire Locker is also known as:

  • Hades Locker

Table 515. Table References

Links

https://labs.opendns.com/2016/07/13/wildfire-ransomware-gaining-momentum/

Xorist

Ransomware encrypted files will still have the original non-encrypted header of 0x33 bytes length

Table 516. Table References

Links

https://support.kaspersky.com/viruses/disinfection/2911

https://decrypter.emsisoft.com/xorist

XRTN

Ransomware VaultCrypt family

You Have Been Hacked!!!

Ransomware Attempt to steal passwords

Table 517. Table References

Links

https://twitter.com/malwrhunterteam/status/808280549802418181

Zcrypt

Ransomware

Zcrypt is also known as:

  • Zcryptor

Table 518. Table References

Links

https://blogs.technet.microsoft.com/mmpc/2016/05/26/link-lnk-to-ransom/

Zeta

Ransomware

Zeta is also known as:

  • CryptoMix

Table 519. Table References

Links

https://twitter.com/JakubKroustek/status/804009831518572544

Zlader

Ransomware VaultCrypt family

Zlader is also known as:

  • Russian

  • VaultCrypt

  • CrypVault

Table 521. Table References

Links

http://www.nyxbone.com/malware/russianRansom.html

Zorro

Ransomware

Table 522. Table References

Links

https://twitter.com/BleepinComputer/status/844538370323812353

Zyklon

Ransomware Hidden Tear family, GNL Locker variant

Zyklon is also known as:

  • GNL Locker

vxLock

Ransomware

Jaff

We recently observed several large scale email campaigns that were attempting to distribute a new variant of ransomware that has been dubbed "Jaff". Interestingly we identified several characteristics that we have previously observed being used during Dridex and Locky campaigns. In a short period of time, we observed multiple campaigns featuring high volumes of malicious spam emails being distributed, each using a PDF attachment with an embedded Microsoft Word document functioning as the initial downloader for the Jaff ransomware.

Table 523. Table References

Links

http://blog.talosintelligence.com/2017/05/jaff-ransomware.html

https://www.bleepingcomputer.com/news/security/jaff-ransomware-distributed-via-necurs-malspam-and-asking-for-a-3-700-ransom/

RAT

remote administration tool or remote access tool (RAT), also called sometimes remote access trojan, is a piece of software or programming that allows a remote "operator" to control a system as if they have physical access to that system..

RAT is a cluster galaxy available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.
authors

Various

TeamViewer

TeamViewer is a proprietary computer software package for remote control, desktop sharing, online meetings, web conferencing and file transfer between computers.

Table 525. Table References

Links

https://www.teamviewer.com

Back Orifice

Back Orifice (often shortened to BO) is a computer program designed for remote system administration. It enables a user to control a computer running the Microsoft Windows operating system from a remote location.

Back Orifice is also known as:

  • BO

Table 526. Table References

Links

http://www.cultdeadcow.com/tools/bo.html

http://www.symantec.com/avcenter/warn/backorifice.html

Netbus

NetBus or Netbus is a software program for remotely controlling a Microsoft Windows computer system over a network. It was created in 1998 and has been very controversial for its potential of being used as a backdoor.

Netbus is also known as:

  • NetBus

Table 527. Table References

Links

http://www.symantec.com/avcenter/warn/backorifice.html

https://www.f-secure.com/v-descs/netbus.shtml

PoisonIvy

Poison Ivy is a RAT which was freely available and first released in 2005.

PoisonIvy is also known as:

  • Poison Ivy

  • Backdoor.Win32.PoisonIvy

  • Gen:Trojan.Heur.PT

Table 528. Table References

Links

https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-poison-ivy.pdf

https://www.f-secure.com/v-descs/backdoor_w32_poisonivy.shtml

Sub7

Sub7, or SubSeven or Sub7Server, is a Trojan horse program.[1] Its name was derived by spelling NetBus backwards ("suBteN") and swapping "ten" with "seven". Sub7 was created by Mobman. Mobman has not maintained or updated the software since 2004, however an author known as Read101 has carried on the Sub7 legacy.

Sub7 is also known as:

  • SubSeven

  • Sub7Server

Table 529. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2001-020114-5445-99

Beast Trojan

Beast is a Windows-based backdoor trojan horse, more commonly known in the hacking community as a Remote Administration Tool or a "RAT". It is capable of infecting versions of Windows from 95 to 10.

Table 530. Table References

Links

https://en.wikipedia.org/wiki/Beast_(Trojan_horse)

Bifrost

Bifrost is a discontinued backdoor trojan horse family of more than 10 variants which can infect Windows 95 through Windows 10 (although on modern Windows systems, after Windows XP, its functionality is limited). Bifrost uses the typical server, server builder, and client backdoor program configuration to allow a remote attacker, who uses the client, to execute arbitrary code on the compromised machine (which runs the server whose behavior can be controlled by the server editor).

Table 531. Table References

Links

https://www.revolvy.com/main/index.php?s=Bifrost%20(trojan%20horse)&item_type=topic

http://malware-info.blogspot.lu/2008/10/bifrost-trojan.html

Blackshades

Blackshades is the name of a malicious trojan horse used by hackers to control computers remotely. The malware targets computers using Microsoft Windows -based operating systems.[2] According to US officials, over 500,000 computer systems have been infected worldwide with the software.

Table 532. Table References

Links

https://krebsonsecurity.com/2014/05/blackshades-trojan-users-had-it-coming/

DarkComet

DarkComet is a Remote Administration Tool (RAT) which was developed by Jean-Pierre Lesueur (known as DarkCoderSc), an independent programmer and computer security coder from the United Kingdom. Although the RAT was developed back in 2008, it began to proliferate at the start of 2012.

DarkComet is also known as:

  • Dark Comet

Table 533. Table References

Links

https://blog.malwarebytes.com/threat-analysis/2012/06/you-dirty-rat-part-1-darkcomet/

https://blogs.cisco.com/security/talos/darkkomet-rat-spam

Lanfiltrator

Backdoor.Lanfiltrator is a backdoor Trojan that gives an attacker unauthorized access to a compromised computer. The detection is used for a family of Trojans that are produced by the Backdoor.Lanfiltrator generator.

Table 534. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2002-121116-0350-99

Win32.HsIdir

Win32.HsIdir is an advanced remote administrator tool systems was done by the original author HS32-Idir, it is the development of the release made since 2006 Copyright © 2006-2010 HS32-Idir.

Table 535. Table References

Links

http://lexmarket.su/thread-27692.html

https://www.nulled.to/topic/129749-win32hsidir-rat/

Back Orifice 2000

Back Orifice 2000 (often shortened to BO2k) is a computer program designed for remote system administration. It enables a user to control a computer running the Microsoft Windows operating system from a remote location. The name is a pun on Microsoft BackOffice Server software. Back Orifice 2000 is a new version of the famous Back Orifice backdoor trojan (hacker’s remote access tool). It was created by the Cult of Dead Cow hackers group in July 1999. Originally the BO2K was released as a source code and utilities package on a CD-ROM. There are reports that some files on that CD-ROM were infected with CIH virus, so the people who got that CD might get infected and spread not only the compiled backdoor, but also the CIH virus.

Back Orifice 2000 is also known as:

  • BO2k

Table 537. Table References

Links

https://en.wikipedia.org/wiki/Back_Orifice_2000

https://home.mcafee.com/VirusInfo/VirusProfile.aspx?key=10229

https://www.symantec.com/security_response/writeup.jsp?docid=2000-121814-5417-99

https://www.f-secure.com/v-descs/bo2k.shtml

RealVNC

The software consists of a server and client application for the Virtual Network Computing (VNC) protocol to control another

RealVNC is also known as:

  • VNC Connect

  • VNC Viewer

Table 538. Table References

Links

https://www.realvnc.com/

Adwind RAT

Backdoor:Java/Adwind is a Java archive (.JAR) file that drops a malicious component onto the machines and runs as a backdoor. When active, it is capable of stealing user information and may also be used to distribute other malware.

Adwind RAT is also known as:

  • UNRECOM

  • UNiversal REmote COntrol Multi-Platform

Table 539. Table References

Links

https://securelist.com/securelist/files/2016/02/KL_AdwindPublicReport_2016.pdf

https://www.f-secure.com/v-descs/backdoor_java_adwind.shtml

Arcom

The malware is a Remote Access Trojan (RAT), known as Arcom RAT, and it is sold on underground forums for $2000.00.

Table 541. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-112912-5237-99

http://blog.trendmicro.com/trendlabs-security-intelligence/tsunami-warning-leads-to-arcom-rat/

BlackNix

BlackNix rat is a rat coded in delphi.

Table 542. Table References

Links

https://leakforums.net/thread-18123?tid=18123&&pq=1

Blue Banana

Blue Banana is a RAT (Remote Administration Tool) created purely in Java

Table 543. Table References

Links

https://leakforums.net/thread-123872

https://techanarchy.net/2014/02/blue-banana-rat-config/

Bozok

Bozok, like many other popular RATs, is freely available. The author of the Bozok RAT goes by the moniker “Slayer616” and has created another RAT known as Schwarze Sonne, or “SS-RAT” for short. Both of these RATs are free and easy to find — various APT actors have used both in previous targeted attacks.

Table 544. Table References

Links

https://www.fireeye.com/blog/threat-research/2013/10/know-your-enemy-tracking-a-rapidly-evolving-apt-actor.html

ClientMesh

ClientMesh is a Remote Administration Application yhich allows a user to control a number of client PCs from around the world.

Table 545. Table References

Links

https://sinister.ly/Thread-ClientMesh-RAT-In-Built-FUD-Crypter-Stable-DDoSer-No-PortForwading-40-Lifetime

https://blog.yakuza112.org/2012/clientmesh-rat-v5-cracked-clean/

CyberGate

CyberGate is a powerful, fully configurable and stable Remote Administration Tool coded in Delphi that is continuously getting developed. Using cybergate you can log the victim’s passwords and can also get the screen shots of his computer’s screen.

Table 546. Table References

Links

http://www.hackersthirst.com/2011/03/cybergate-rat-hacking-facebook-twitter.html

http://www.nbcnews.com/id/41584097/ns/technology_and_science-security/t/cybergate-leaked-e-mails-hint-corporate-hacking-conspiracy/

DarkRat

In March 2017, Fujitsu Cyber Threat Intelligence uncovered a newly developed remote access tool referred to by its developer as ‘Dark RAT’ – a tool used to steal sensitive information from victims. Offered as a Fully Undetectable build (FUD) the RAT has a tiered price model including 24/7 support and an Android version. Android malware has seen a significant rise in interest and in 2015 this resulted in the arrests of a number of suspects involved in the infamous DroidJack malware.

DarkRat is also known as:

  • DarkRAT

Table 548. Table References

Links

https://www.infosecurity-magazine.com/blogs/the-dark-rat/

http://darkratphp.blogspot.lu/

HawkEye

HawkEye is a popular RAT that can be used as a keylogger, it is also able to identify login events and record the destination, username, and password.

Table 550. Table References

Links

http://securityaffairs.co/wordpress/54837/hacking/one-stop-shop-hacking.html

jRAT

jRAT is the cross-platform remote administrator tool that is coded in Java, Because its coded in Java it gives jRAT possibilities to run on all operation systems, Which includes Windows, Mac OSX and Linux distributions.

Table 551. Table References

Links

https://www.rekings.com/shop/jrat/

jSpy

jSpy is a Java RAT.

Table 552. Table References

Links

https://leakforums.net/thread-479505

Lost Door

We recently came across a cyber attack that used a remote access Trojan (RAT) called Lost Door, a tool currently offered on social media sites.

Table 553. Table References

Links

http://lost-door.blogspot.lu/

http://blog.trendmicro.com/trendlabs-security-intelligence/lost-door-rat-accessible-customizable-attack-tool/

https://www.cyber.nj.gov/threat-profiles/trojan-variants/lost-door-rat

LuxNET

Just saying that this is a very badly coded RAT by the biggest skid in this world, that is XilluX. The connection is very unstable, the GUI is always flickering because of the bad Multi-Threading and many more bugs.

Table 554. Table References

Links

https://leakforums.net/thread-284656

NJRat

NJRat is a remote access trojan (RAT), first spotted in June 2013 with samples dating back to November 2012. It was developed and is supported by Arabic speakers and mainly used by cybercrime groups against targets in the Middle East. In addition to targeting some governments in the region, the trojan is used to control botnets and conduct other typical cybercrime activity. It infects victims via phishing attacks and drive-by downloads and propagates through infected USB keys or networked drives. It can download and execute additional malware, execute shell commands, read and write registry keys, capture screenshots, log keystrokes, and spy on webcams.

Table 555. Table References

Links

https://www.cyber.nj.gov/threat-profiles/trojan-variants/njrat

Pandora

Remote administrator tool that has been developed for Windows operation system. With advanced features and stable structure, Pandora’s structure is based on advanced client / server architecture. was configured using modern technology.

Table 556. Table References

Links

https://www.rekings.com/pandora-rat-2-2/

Predator Pain

Unlike Zeus, Predator Pain and Limitless are relatively simple keyloggers. They indiscriminately steal web credentials and mail client credentials, as well as capturing keystrokes and screen captures. The output is human readable, which is good if you are managing a few infected machines only, but the design doesn’t scale well when there are a lot of infected machines and logs involved.

Predator Pain is also known as:

  • PredatorPain

Table 557. Table References

Links

http://blog.trendmicro.com/trendlabs-security-intelligence/predator-pain-and-limitless-behind-the-fraud/

https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp-predator-pain-and-limitless.pdf

Punisher RAT

Remote administration tool

Table 558. Table References

Links

http://punisher-rat.blogspot.lu/

SpyGate

This is tool that allow you to control your computer form anywhere in world with full support to unicode language.

Table 559. Table References

Links

https://www.rekings.com/spygate-rat-3-2/

https://www.symantec.com/security_response/attacksignatures/detail.jsp%3Fasid%3D27950

http://spygate-rat.blogspot.lu/

Small-Net

RAT

Small-Net is also known as:

  • SmallNet

Table 560. Table References

Links

http://small-net-rat.blogspot.lu/

Vantom

Vantom is a free RAT with good option and very stable.

Table 561. Table References

Links

https://www.rekings.com/vantom-rat/

Xena

Xena RAT is a fully-functional, stable, state-of-the-art RAT, coded in a native language called Delphi, it has almost no dependencies.

Table 562. Table References

Links

https://leakforums.net/thread-497480

===

This malware has been used in targeted attacks as well as traditional cybercrime. During our investigation we found that the majority of XtremeRAT activity is associated with spam campaigns that typically distribute Zeus variants and other banking-focused malware.

Table 563. Table References

Links

https://www.fireeye.com/blog/threat-research/2014/02/xtremerat-nuisance-or-threat.html

Netwire

NetWire has a built-in keylogger that can capture inputs from peripheral devices such as USB card readers.

Table 564. Table References

Links

https://www.secureworks.com/blog/netwire-rat-steals-payment-card-data

Gh0st RAT

Gh0st RAT is a Trojan horse for the Windows platform that the operators of GhostNet used to hack into some of the most sensitive computer networks on Earth. It is a cyber spying computer program. .

Table 565. Table References

Links

https://www.volexity.com/blog/2017/03/23/have-you-been-haunted-by-the-gh0st-rat-today/

Plasma RAT

Plasma RAT’s stub is fairly advanced, having many robust features. Some of the features include botkilling, Cryptocurrencies Mining (CPU and GPU), persistence, anti-analysis, torrent seeding, AV killer, 7 DDoS methods and a keylogger. The RAT is coded in VB.Net. There is also a Botnet version of it (Plasma HTTP), which is pretty similar to the RAT version.

Table 566. Table References

Links

http://www.zunzutech.com/blog/security/analysis-of-plasma-rats-source-code/

Babylon

Babylon is a highly advanced remote administration tool with no dependencies. The server is developed in C++ which is an ideal language for high performance and the client is developed in C#(.Net Framework 4.5)

Table 567. Table References

Links

https://www.rekings.com/babylon-rat/

Imminent Monitor

RAT

Table 568. Table References

Links

http://www.imminentmethods.info/

DroidJack

DroidJack is a RAT (Remote Access Trojan/Remote Administration Tool) nature of remote accessing, monitoring and managing tool (Java based) for Android mobile OS. You can use it to perform a complete remote control to any Android devices infected with DroidJack through your PC. It comes with powerful function and user-friendly operation – even allows attackers to fully take over the mobile phone and steal, record the victim’s private data wilfully.

Table 569. Table References

Links

http://droidjack.net/

Quasar RAT

Quasar is a fast and light-weight remote administration tool coded in C#. Providing high stability and an easy-to-use user interface

Table 570. Table References

Links

https://github.com/quasar/QuasarRAT

Dendroid

Dendroid is malware that affects Android OS and targets the mobile platform. It was first discovered in early of 2014 by Symantec and appeared in the underground for sale for $300. Some things were noted in Dendroid, such as being able to hide from emulators at the time. When first discovered in 2014 it was one of the most sophisticated Android remote administration tools known at that time. It was one of the first Trojan applications to get past Google’s Bouncer and caused researchers to warn about it being easier to create Android malware due to it. It also seems to have follow in the footsteps of Zeus and SpyEye by having simple-to-use command and control panels. The code appeared to be leaked somewhere around 2014. It was noted that an apk binder was included in the leak, which provided a simple way to bind Dendroid to legitimate applications.

Table 571. Table References

Links

https://github.com/qqshow/dendroid

https://github.com/nyx0/Dendroid

Ratty

A Java R.A.T. program

Table 572. Table References

Links

https://github.com/shotskeber/Ratty

Androrat

Androrat is a client/server application developed in Java Android for the client side and in Java/Swing for the Server.

Table 575. Table References

Links

https://latesthackingnews.com/2015/05/31/how-to-hack-android-phones-with-androrat/

https://github.com/wszf/androrat

Adzok

Remote Administrator

Table 576. Table References

Links

http://adzok.com/

Schwarze-Sonne-RAT

Schwarze-Sonne-RAT is also known as:

  • SS-RAT

  • Schwarze Sonne

Table 577. Table References

Links

https://github.com/mwsrc/Schwarze-Sonne-RAT

RWX RAT

Table 579. Table References

Links

https://leakforums.net/thread-530663

Spynet

Spy-Net is a software that allow you to control any computer in world using Windows Operating System.He is back using new functions and good options to give you full control of your remote computer.Stable and fast, this software offer to you a good interface, creating a easy way to use all his functions

Table 580. Table References

Links

http://spynet-rat-officiel.blogspot.lu/

CTOS

Table 581. Table References

Links

https://leakforums.net/thread-559871

Virus RAT

Table 582. Table References

Links

https://github.com/mwsrc/Virus-RAT-v8.0-Beta

drat

A distributed, parallelized (Map Reduce) wrapper around Apache™ RAT to allow it to complete on large code repositories of multiple file types where Apache™ RAT hangs forev

Table 584. Table References

Links

https://github.com/chrismattmann/drat

MoSucker

MoSucker is a powerful backdoor - hacker’s remote access tool.

Table 585. Table References

Links

https://www.f-secure.com/v-descs/mosuck.shtml

ProRat

ProRat is a Microsoft Windows based backdoor trojan, more commonly known as a Remote Administration Tool. As with other trojan horses it uses a client and server. ProRat opens a port on the computer which allows the client to perform numerous operations on the server (the machine being controlled).

Table 587. Table References

Links

http://prorat.software.informer.com/

http://malware.wikia.com/wiki/ProRat

Table 590. Table References

Links

https://luminosity.link/

Orcus

Table 591. Table References

Links

https://orcustechnologies.com/

xRAT

Free, Open-Source Remote Administration Tool. xRAT 2.0 is a fast and light-weight Remote Administration Tool coded in C# (using .NET Framework 2.0).

Table 597. Table References

Links

https://github.com/c4bbage/xRAT

Offence

Offense RAT is a free renote administration tool made in Delphi 9.

Table 599. Table References

Links

https://leakforums.net/thread-31386?tid=31386&&pq=1

Apocalypse

Table 600. Table References

Links

https://leakforums.net/thread-36962

JCage

Table 601. Table References

Links

https://leakforums.net/thread-363920

Nuclear RAT

Nuclear RAT (short for Nuclear Remote Administration Tool) is a backdoor trojan horse that infects Windows NT family systems (Windows 2000, XP, 2003).

Table 602. Table References

Links

http://malware.wikia.com/wiki/Nuclear_RAT

http://www.nuclearwintercrew.com/Products-View/21/Nuclear_RAT_2.1.0/

Ozone

C++ REMOTE CONTROL PROGRAM

Table 603. Table References

Links

http://ozonercp.com/

Xanity

Table 604. Table References

Links

https://github.com/alienwithin/xanity-php-rat

DarkMoon

DarkMoon is also known as:

  • Dark Moon

Kiler RAT

This remote access trojan (RAT) has capabilities ranging from manipulating the registry to opening a reverse shell. From stealing credentials stored in browsers to accessing the victims webcam. Through the Command & Control (CnC) server software, the attacker has capabilities to create and configure the malware to spread utilizing physic devices, such as USB drives, but also to use the victim as a pivot point to gain more access laterally throughout the network. This remote access trojan could be classified as a variant of the well known njrat, as they share many similar features such as their display style, several abilities and a general template for communication methods . However, where njrat left off KilerRat has taken over. KilerRat is a very feature rich RAT with an active development force that is rapidly gaining in popularity amongst the middle eastern community and the world.

Table 606. Table References

Links

https://www.alienvault.com/blogs/labs-research/kilerrat-taking-over-where-njrat-remote-access-trojan-left-off

Lost Door

Unlike most attack tools that one can only find in cybercriminal underground markets, Lost Door is very easy to obtain. It’s promoted on social media sites like YouTube and Facebook. Its maker, “OussamiO,” even has his own Facebook page where details on his creation can be found. He also has a dedicated blog (hxxp://lost-door[.]blogspot[.]com/) where tutorial videos and instructions on using the RAT is found. Any cybercriminal or threat actor can purchase and use the RAT to launch attacks.

Table 607. Table References

Links

http://blog.trendmicro.com/trendlabs-security-intelligence/lost-door-rat-accessible-customizable-attack-tool/

Loki RAT

Loki RAT is a php RAT that means no port forwarding is needed for this RAT, If you dont know how to setup this RAT click on tutorial.

Table 608. Table References

Links

https://www.rekings.com/loki-rat-php-rat/

MLRat

Table 609. Table References

Links

https://github.com/BahNahNah/MLRat

Pupy

Pupy is an opensource, cross-platform (Windows, Linux, OSX, Android) remote administration and post-exploitation tool mainly written in python

Table 611. Table References

Links

https://github.com/n1nj4sec/pupy

Nova

Nova is a proof of concept demonstrating screen sharing over UDP hole punching.

Table 612. Table References

Links

http://novarat.sourceforge.net/

Turkojan

Turkojan is a remote administration and spying tool for Microsoft Windows operating systems.

Table 614. Table References

Links

http://turkojan.blogspot.lu/

TINY

TINY is a set of programs that lets you control a DOS computer from any Java-capable machine over a TCP/IP connection. It is comparable to programs like VNC, CarbonCopy, and GotoMyPC except that the host machine is a DOS computer rather than a Windows one.

Table 615. Table References

Links

http://josh.com/tiny/

SharK

sharK is an advanced reverse connecting, firewall bypassing remote administration tool written in VB6. With sharK you will be able to administrate every PC (using Windows OS) remotely.

SharK is also known as:

  • SHARK

  • Shark

Table 616. Table References

Links

https://www.security-database.com/toolswatch/SharK-3-Remote-Administration-Tool.html

http://lpc1.clpccd.cc.ca.us/lpc/mdaoud/CNT7501/NETLABS/Ethical_Hacking_Lab_05.pdf

Snowdoor

Backdoor.Snowdoor is a Backdoor Trojan Horse that allows unauthorized access to an infected computer. It creates an open C drive share with its default settings. By default, the Trojan listens on port 5,328.

Snowdoor is also known as:

  • Backdoor.Blizzard

  • Backdoor.Fxdoor

  • Backdoor.Snowdoor

  • Backdoor:Win32/Snowdoor

Table 617. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2003-022018-5040-99

Paradox

Table 618. Table References

Links

https://www.nulled.to/topic/155464-paradox-rat/

SpyNote

Android RAT

Table 619. Table References

Links

https://www.rekings.com/spynote-v4-android-rat/

NET-MONITOR PRO

Net Monitor for Employees lets you see what everyone’s doing - without leaving your desk. Monitor the activity of all employees. Plus you can share your screen with your employees PCs, making demos and presentations much easier.

Table 620. Table References

Links

https://networklookout.com/help/

DameWare Mini Remote Control

Affordable remote control software for all your customer support and help desk needs.

DameWare Mini Remote Control is also known as:

  • dameware

Table 621. Table References

Links

http://www.dameware.com/dameware-mini-remote-control

Remote Utilities

Remote Utilities is a free remote access program with some really great features. It works by pairing two remote computers together with what they call an "Internet ID." You can control a total of 10 PCs with Remote Utilities.

Table 622. Table References

Links

https://www.remoteutilities.com/

Ammyy Admin

Ammyy Admin is a completely portable remote access program that’s extremely simple to setup. It works by connecting one computer to another via an ID supplied by the program.

Table 623. Table References

Links

http://ammyy-admin.soft32.com/

Ultra VNC

UltraVNC works a bit like Remote Utilities, where a server and viewer is installed on two PCs, and the viewer is used to control the server.

Table 624. Table References

Links

http://www.uvnc.com/

AeroAdmin

AeroAdmin is probably the easiest program to use for free remote access. There are hardly any settings, and everything is quick and to the point, which is perfect for spontaneous support.

Table 625. Table References

Links

http://www.aeroadmin.com/en/

Windows Remote Desktop

Windows Remote Desktop is the remote access software built into the Windows operating system. No additional download is necessary to use the program.

RemotePC

RemotePC, for good or bad, is a more simple free remote desktop program. You’re only allowed one connection (unless you upgrade) but for many of you, that’ll be just fine.

Table 626. Table References

Links

https://www.remotepc.com/

Seecreen

Seecreen (previously called Firnass) is an extremely tiny (500 KB), yet powerful free remote access program that’s absolutely perfect for on-demand, instant support.

Seecreen is also known as:

  • Firnass

Table 627. Table References

Links

http://seecreen.com/

Chrome Remote Desktop

Chrome Remote Desktop is an extension for the Google Chrome web browser that lets you setup a computer for remote access from any other Chrome browser.

Table 628. Table References

Links

https://chrome.google.com/webstore/detail/chrome-remote-desktop/gbchcmhmhahfdphkhkmpfmihenigjmpp?hl=en

AnyDesk

AnyDesk is a remote desktop program that you can run portably or install like a regular program.

Table 629. Table References

Links

https://anydesk.com/remote-desktop

LiteManager

LiteManager is another remote access program, and it’s strikingly similar to Remote Utilities, which I explain on the first page of this list. However, unlike Remote Utilities, which can control a total of only 10 PCs, LiteManager supports up to 30 slots for storing and connecting to remote computers, and also has lots of useful features.

Table 630. Table References

Links

http://www.litemanager.com/

Comodo Unite

Comodo Unite is another free remote access program that creates a secure VPN between multiple computers. Once a VPN is established, you can remotely have access to applications and files through the client software.

Table 631. Table References

Links

https://www.comodo.com/home/download/download.php?prod=comodounite

ShowMyPC

ShowMyPC is a portable and free remote access program that’s nearly identical to UltraVNC but uses a password to make a connection instead of an IP address.

Table 632. Table References

Links

https://showmypc.com/

join.me

join.me is a remote access program from the producers of LogMeIn that provides quick access to another computer over an internet browser.

Table 633. Table References

Links

https://www.join.me/

DesktopNow

DesktopNow is a free remote access program from NCH Software. After optionally forwarding the proper port number in your router, and signing up for a free account, you can access your PC from anywhere through a web browser.

Table 634. Table References

Links

http://www.nchsoftware.com/remotedesktop/index.html

BeamYourScreen

Another free and portable remote access program is BeamYourScreen. This program works like some of the others in this list, where the presenter is given an ID number they must share with another user so they can connect to the presenter’s screen.

Table 635. Table References

Links

http://www.beamyourscreen.com/

Bandook RAT

Bandook is a FWB#++ reverse connection rat (Remote Administration Tool), with a small size server when packed 30 KB, and a long list of amazing features

Table 636. Table References

Links

http://www.nuclearwintercrew.com/Products-View/57/Bandook_RAT_v1.35NEW_/[http://www.nuclearwintercrew.com/Products-View/57/Bandook_RAT_v1.35NEW_/]

Snoopy

Snoopy is a Remote Administration Tool. Software for controlling user computer remotely from other computer on local network or Internet.

Table 638. Table References

Links

http://www.spy-emergency.com/research/S/Snoopy.html

NetDevil

Backdoor.NetDevil allows a hacker to remotely control an infected computer.

Table 639. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2002-021310-3452-99

TDS

TDS is a list of Traffic Direction System used by adversaries.

TDS is a cluster galaxy available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.
authors

Kafeine

Keitaro

Keitaro TDS is among the mostly used TDS in drive by infection chains

Table 640. Table References

Links

https://keitarotds.com/

Sutra

Sutra TDS was dominant from 2012 till 2015

Table 641. Table References

Links

http://kytoon.com/sutra-tds.html

SimpleTDS

SimpleTDS is a basic open source TDS

SimpleTDS is also known as:

  • Stds

Table 642. Table References

Links

https://sourceforge.net/projects/simpletds/

BossTDS

BossTDS

Table 643. Table References

Links

http://bosstds.com/

BlackHat TDS

BlackHat TDS is sold underground.

Table 644. Table References

Links

http://malware.dontneedcoffee.com/2014/04/meet-blackhat-tds.html

Futuristic TDS

Futuristic TDS is the TDS component of BlackOS/CookieBomb/NorthTale Iframer

Orchid TDS

Orchid TDS was sold underground. Rare usage

Threat actor

Known or estimated adversary groups targeting organizations and employees. Adversary groups are regularly confused with their initial operation or campaign..

Threat actor is a cluster galaxy available in JSON format at https://github.com/MISP/misp-galaxy/blob/master/clusters/threat actor.json[this location] The JSON format can be freely reused in your application or automatically enabled in MISP.
authors

Alexandre Dulaunoy - Florian Roth - Thomas Schreck - Timo Steffens - Various

Comment Crew

PLA Unit 61398 (Chinese: 61398部队, Pinyin: 61398 bùduì) is the Military Unit Cover Designator (MUCD)[1] of a People’s Liberation Army advanced persistent threat unit that has been alleged to be a source of Chinese computer hacking attacks

Comment Crew is also known as:

  • Comment Panda

  • PLA Unit 61398

  • APT 1

  • APT1

  • Advanced Persistent Threat 1

  • Byzantine Candor

  • Group 3

  • TG-8223

  • Comment Group

Table 645. Table References

Links

https://en.wikipedia.org/wiki/PLA_Unit_61398

http://intelreport.mandiant.com/Mandiant_APT1_Report.pdf

Nitro

These attackers were the subject of an extensive report by Symantec in 2011, which termed the attackers Nitro and stated: 'The goal of the attackers appears to be to collect intellectual property such as design documents, formulas, and manufacturing processes. In addition, the same attackers appear to have a lengthy operation history including attacks on other industries and organizations. Attacks on the chemical industry are merely their latest attack wave. As part of our investigations, we were also able to identify and contact one of the attackers to try and gain insights into the motivations behind these attacks.' Palo Alto Networks reported on continued activity by the attackers in 2014.

Nitro is also known as:

  • Covert Grove

Table 646. Table References

Links

http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the_nitro_attacks.pdf

Codoso

The New York Times described Codoso as: 'A collection of hackers for hire that the security industry has been tracking for years. Over the years, the group has breached banks, law firms and tech companies, and once hijacked the Forbes website to try to infect visitors’ computers with malware.'

Codoso is also known as:

  • C0d0so

  • Sunshop Group

Table 647. Table References

Links

https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks

https://www.nytimes.com/2016/06/12/technology/the-chinese-hackers-in-the-back-office.html

Foxy Panda

Adversary group targeting telecommunication and technology organizations.

Dizzy Panda

Dizzy Panda is also known as:

  • LadyBoyle

Putter Panda

Putter Panda were the subject of an extensive report by CrowdStrike, which stated: 'The CrowdStrike Intelligence team has been tracking this particular unit since2012, under the codename PUTTER PANDA, and has documented activity dating back to 2007. The report identifies Chen Ping, aka cpyy, and the primary location of Unit 61486.'

Putter Panda is also known as:

  • PLA Unit 61486

  • APT 2

  • Group 36

  • APT-2

  • MSUpdater

  • 4HCrew

  • SULPHUR

  • TG-6952

Table 650. Table References

Links

http://cdn0.vox-cdn.com/assets/4589853/crowdstrike-intelligence-report-putter-panda.original.pdf

UPS

Symantec described UPS in 2016 report as: 'Buckeye (also known as APT3, Gothic Panda, UPS Team, and TG-0110) is a cyberespionage group that is believed to have been operating for well over half a decade. Traditionally, the group attacked organizations in the US as well as other targets. However, Buckeyes focus appears to have changed as of June 2015, when the group began compromising political entities in Hong Kong.'

UPS is also known as:

  • Gothic Panda

  • TG-0110

  • APT 3

  • Group 6

  • UPS Team

  • APT3

  • Buckeye

Table 651. Table References

Links

https://www.fireeye.com/blog/threat-research/2015/06/operation-clandestine-wolf-adobe-flash-zero-day.html

http://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong

DarkHotel

Kaspersky described DarkHotel in a 2014 report as: '…​ DarkHotel drives its campaigns by spear-phishing targets with highly advanced Flash zero-day exploits that effectively evade the latest Windows and Adobe defenses, and yet they also imprecisely spread among large numbers of vague targets with peer-to-peer spreading tactics. Moreover, this crews most unusual characteristic is that for several years the Darkhotel APT has maintained a capability to use hotel networks to follow and hit selected targets as they travel around the world.'

DarkHotel is also known as:

  • DUBNIUM

  • Fallout Team

Table 652. Table References

Links

https://securelist.com/blog/research/71713/darkhotels-attacks-in-2015/

https://blogs.technet.microsoft.com/mmpc/2016/06/09/reverse-engineering-dubnium-2

IXESHE

A group of China-based attackers, who conducted a number of spear phishing attacks in 2013.

IXESHE is also known as:

  • Numbered Panda

  • TG-2754

  • BeeBus

  • Group 22

  • DynCalc

  • Crimson Iron

  • APT12

  • APT 12

Table 653. Table References

Links

http://www.crowdstrike.com/blog/whois-numbered-panda/

Aurora Panda

FireEye described APT17 in a 2015 report as: 'APT17, also known as DeputyDog, is a China based threat group that FireEye Intelligence has observed conducting network intrusions against U.S. government entities, the defense industry, law firms, information technology companies, mining companies, and non-government organizations.'

Aurora Panda is also known as:

  • APT 17

  • Deputy Dog

  • Group 8

  • APT17

  • Hidden Lynx

  • Tailgater Team

Table 655. Table References

Links

http://www.fireeye.com/blog/technical/cyber-exploits/2013/09/operation-deputydog-zero-day-cve-2013-3893-attack-against-japanese-targets.html

http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/hidden_lynx.pdf

Wekby

Wekby was described by Palo Alto Networks in a 2015 report as: 'Wekby is a group that has been active for a number of years, targeting various industries such as healthcare, telecommunications, aerospace, defense, and high tech. The group is known to leverage recently released exploits very shortly after those exploits are available, such as in the case of HackingTeams Flash zero - day exploit.'

Wekby is also known as:

  • Dynamite Panda

  • TG-0416

  • APT 18

  • SCANDIUM

  • APT18

Table 656. Table References

Links

https://threatpost.com/apt-gang-branches-out-to-medical-espionage-in-community-health-breach/107828

Tropic Trooper

TrendMicro described Tropic Trooper in a 2015 report as: 'Taiwan and the Philippines have become the targets of an ongoing campaign called Operation TropicTrooper. Active since 2012, the attackers behind the campaign haveset their sights on the Taiwanese government as well as a number of companies in the heavy industry. The same campaign has also targeted key Philippine military agencies.'

Tropic Trooper is also known as:

  • Operation Tropic Trooper

Table 657. Table References

Links

http://researchcenter.paloaltonetworks.com/2016/11/unit42-tropic-trooper-targets-taiwanese-government-and-fossil-fuel-provider-with-poison-ivy/

http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-tropic-trooper.pdf

Axiom

The Winnti grouping of activity is large and may actually be a number of linked groups rather than a single discrete entity. Kaspersky describe Winnti as: 'The Winnti group has been attacking companies in the online video game industry since 2009 and is currently still active. The groups objectives are stealing digital certificates signed by legitimate software vendors in addition to intellectual property theft, including the source code of online game projects. The majority of the victims are from South East Asia.'

Axiom is also known as:

  • Winnti Group

  • Tailgater Team

  • Group 72

  • Group72

  • Tailgater

  • Ragebeast

  • Blackfly

  • Lead

  • Wicked Spider

Table 658. Table References

Links

http://securelist.com/blog/research/57585/winnti-faq-more-than-just-a-game/

http://williamshowalter.com/a-universal-windows-bootkit/

https://blogs.technet.microsoft.com/mmpc/2017/01/25/detecting-threat-actors-in-recent-german-industrial-attacks-with-windows-defender-atp

Shell Crew

Adversary group targeting financial, technology, non-profit organisations.

Shell Crew is also known as:

  • Deep Panda

  • WebMasters

  • APT 19

  • KungFu Kittens

  • Black Vine

  • Group 13

  • PinkPanther

  • Sh3llCr3w

Table 659. Table References

Links

http://cybercampaigns.net/wp-content/uploads/2013/06/Deep-Panda.pdf

http://www.rsaconference.com/writable/presentations/file_upload/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries_final.pdf

Naikon

Kaspersky described Naikon in a 2015 report as: 'The Naikon group is mostly active in countries such as the Philippines, Malaysia, Cambodia, Indonesia, Vietnam, Myanmar, Singapore, and Nepal, hitting a variety of targets in a very opportunistic way.'

Naikon is also known as:

  • PLA Unit 78020

  • Override Panda

  • Camerashy

  • APT.Naikon

Table 660. Table References

Links

https://securelist.com/analysis/publications/69953/the-naikon-apt/

http://www.fireeye.com/blog/technical/malware-research/2014/03/spear-phishing-the-news-cycle-apt-actors-leverage-interest-in-the-disappearance-of-malaysian-flight-mh-370.html

Lotus Blossom

Lotus Blossom is also known as:

  • Spring Dragon

  • ST Group

Table 661. Table References

Links

https://securelist.com/blog/research/70726/the-spring-dragon-apt/

Lotus Panda

Lotus Panda is also known as:

  • Elise

Emissary Panda

A China-based actor that targets foreign embassies to collect data on government, defence, and technology sectors.

Emissary Panda is also known as:

  • TG-3390

  • APT 27

  • TEMP.Hippo

  • Group 35

  • HIPPOTeam

  • APT27

  • Operation Iron Tiger

Table 663. Table References

Links

http://www.secureworks.com/cyber-threat-intelligence/threats/threat-group-3390-targets-organizations-for-cyberespionage/

http://www.scmagazineuk.com/iran-and-russia-blamed-for-state-sponsored-espionage/article/330401/

Stone Panda

Stone Panda is also known as:

  • APT10

  • APT 10

  • menuPass

  • happyyongzi

  • POTASSIUM

  • DustStorm

  • Red Apollo

  • CVNX

Table 664. Table References

Links

http://researchcenter.paloaltonetworks.com/2017/02/unit42-menupass-returns-new-malware-new-attacks-japanese-academics-organizations/

Nightshade Panda

Nightshade Panda is also known as:

  • APT 9

  • Flowerlady/Flowershow

  • Flowerlady

  • Flowershow

Table 665. Table References

Links

https://otx.alienvault.com/pulse/55bbc68e67db8c2d547ae393/

Hellsing

Hellsing is also known as:

  • Goblin Panda

  • Cycldek

Table 666. Table References

Links

https://securelist.com/analysis/publications/69567/the-chronicles-of-the-hellsing-apt-the-empire-strikes-back/

Mirage

Mirage is also known as:

  • Vixen Panda

  • Ke3Chang

  • GREF

  • Playful Dragon

  • APT 15

  • Metushy

  • Social Network Team

Table 668. Table References

Links

https://www.fireeye.com/blog/threat-research/2014/09/forced-to-adapt-xslcmd-backdoor-now-on-os-x.html

Anchor Panda

PLA Navy

Anchor Panda is also known as:

  • APT14

  • APT 14

  • QAZTeam

  • ALUMINUM

Table 669. Table References

Links

http://www.crowdstrike.com/blog/whois-anchor-panda/

Ice Fog

Operate since at least 2011, from several locations in China, with members in Korea and Japan as well.

Ice Fog is also known as:

  • IceFog

  • Dagger Panda

Table 671. Table References

Links

https://securelist.com/blog/research/57331/the-icefog-apt-a-tale-of-cloak-and-three-daggers/

Pitty Panda

The Pitty Tiger group has been active since at least 2011. They have been seen using HeartBleed vulnerability in order to directly get valid credentials

Pitty Panda is also known as:

  • PittyTiger

  • MANGANESE

Table 672. Table References

Links

http://blog.airbuscybersecurity.com/post/2014/07/The-Eye-of-the-Tiger2

Beijing Group

Beijing Group is also known as:

  • Sneaky Panda

Radio Panda

Radio Panda is also known as:

  • Shrouded Crossbow

Samurai Panda

Samurai Panda is also known as:

  • PLA Navy

  • APT4

  • APT 4

  • Getkys

  • SykipotGroup

  • Wkysol

Table 675. Table References

Links

http://www.crowdstrike.com/blog/whois-samurai-panda/

Temper Panda

China-based cyber threat group. It has previously used newsworthy events as lures to deliver malware and has primarily targeted organizations involved in financial, economic, and trade policy, typically using publicly available RATs such as PoisonIvy, as well as some non-public backdoors.

Temper Panda is also known as:

  • Admin338

  • Team338

  • MAGNESIUM

  • admin@338

Table 678. Table References

Links

https://www.fireeye.com/blog/threat-research/2013/10/know-your-enemy-tracking-a-rapidly-evolving-apt-actor.html

https://www.fireeye.com/blog/threat-research/2015/11/china-based-threat.html

Flying Kitten

Activity: defense and aerospace sectors, also interested in targeting entities in the oil/gas industry.

Flying Kitten is also known as:

  • SaffronRose

  • Saffron Rose

  • AjaxSecurityTeam

  • Ajax Security Team

  • Group 26

Table 680. Table References

Links

https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-operation-saffron-rose.pdf

Cutting Kitten

While tracking a suspected Iran-based threat group known as Threat Group-2889[1] (TG-2889), Dell SecureWorks Counter Threat Unit™ (CTU) researchers uncovered a network of fake LinkedIn profiles. These convincing profiles form a self-referenced network of seemingly established LinkedIn users. CTU researchers assess with high confidence the purpose of this network is to target potential victims through social engineering. Most of the legitimate LinkedIn accounts associated with the fake accounts belong to individuals in the Middle East, and CTU researchers assess with medium confidence that these individuals are likely targets of TG-2889.

Cutting Kitten is also known as:

  • ITSecTeam

  • Threat Group 2889

  • TG-2889

  • Ghambar

Table 681. Table References

Links

http://www.secureworks.com/cyber-threat-intelligence/threats/suspected-iran-based-hacker-group-creates-network-of-fake-linkedin-profiles/

Charming Kitten

Charming Kitten (aka Parastoo, aka Newscaster) is an group with a suspected nexus to Iran that targets organizations involved in government, defense technology, military, and diplomacy sectors.

Charming Kitten is also known as:

  • Newscaster

  • Parastoo

  • Group 83

  • Newsbeef

Table 682. Table References

Links

https://en.wikipedia.org/wiki/Operation_Newscaster

Magic Kitten

Earliest activity back to November 2008. An established group of cyber attackers based in Iran, who carried on several campaigns in 2013, including a series of attacks targeting political dissidents and those supporting Iranian political opposition.

Magic Kitten is also known as:

  • Group 42

Table 683. Table References

Links

http://www.scmagazineuk.com/iran-and-russia-blamed-for-state-sponsored-espionage/article/330401/

Rocket Kitten

Targets Saudi Arabia, Israel, US, Iran, high ranking defense officials, embassies of various target countries, notable Iran researchers, human rights activists, media and journalists, academic institutions and various scholars, including scientists in the fields of physics and nuclear sciences.

Rocket Kitten is also known as:

  • TEMP.Beanie

  • Operation Woolen Goldfish

  • Thamar Reservoir

Table 684. Table References

Links

https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/operation-woolen-goldfish-when-kittens-go-phishing

https://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-the-spy-kittens-are-back.pdf

http://www.clearskysec.com/thamar-reservoir/

https://citizenlab.org/2015/08/iran_two_factor_phishing/

https://blog.checkpoint.com/wp-content/uploads/2015/11/rocket-kitten-report.pdf

Cleaver

A group of cyber actors utilizing infrastructure located in Iran have been conducting computer network exploitation activity against public and private U.S. organizations, including Cleared Defense Contractors (CDCs), academic institutions, and energy sector companies.

Cleaver is also known as:

  • Operation Cleaver

  • Tarh Andishan

  • Alibaba

  • 2889

  • TG-2889

Table 685. Table References

Links

http://cdn2.hubspot.net/hubfs/270968/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf

Rebel Jackal

This is a pro-Islamist organization that generally conducts attacks motivated by real world events in which its members believe that members of the Muslim faith were wronged. Its attacks generally involve website defacements; however, the group did develop a RAT that it refers to as Fallaga RAT, but which appears to simply be a fork of the njRAT malware popular amongst hackers in the Middle East/North Africa region.

Rebel Jackal is also known as:

  • FallagaTeam

Viking Jackal

Viking Jackal is also known as:

  • Vikingdom

Sofacy

The Sofacy Group (also known as APT28, Pawn Storm, Fancy Bear and Sednit) is a cyber espionage group believed to have ties to the Russian government. Likely operating since 2007, the group is known to target government, military, and security organizations. It has been characterized as an advanced persistent threat.

Sofacy is also known as:

  • APT 28

  • APT28

  • Pawn Storm

  • Fancy Bear

  • Sednit

  • TsarTeam

  • TG-4127

  • Group-4127

  • STRONTIUM

  • TAG_0700

  • Swallowtail

  • IRON TWILIGHT

Table 686. Table References

Links

https://en.wikipedia.org/wiki/Sofacy_Group

APT 29

A 2015 report by F-Secure describe APT29 as: 'The Dukes are a well-resourced, highly dedicated and organized cyberespionage group that we believe has been working for the Russian Federation since at least 2008 to collect intelligence in support of foreign and security policy decision-making. The Dukes show unusual confidence in their ability to continue successfully compromising their targets, as well as in their ability to operate with impunity. The Dukes primarily target Western governments and related organizations, such as government ministries and agencies, political think tanks, and governmental subcontractors. Their targets have also included the governments of members of the Commonwealth of Independent States;Asian, African, and Middle Eastern governments;organizations associated with Chechen extremism;and Russian speakers engaged in the illicit trade of controlled substances and drugs. The Dukes are known to employ a vast arsenal of malware toolsets, which we identify as MiniDuke, CosmicDuke, OnionDuke, CozyDuke, CloudDuke, SeaDuke, HammerDuke, PinchDuke, and GeminiDuke. In recent years, the Dukes have engaged in apparently biannual large - scale spear - phishing campaigns against hundreds or even thousands of recipients associated with governmental institutions and affiliated organizations. These campaigns utilize a smash - and - grab approach involving a fast but noisy breakin followed by the rapid collection and exfiltration of as much data as possible.If the compromised target is discovered to be of value, the Dukes will quickly switch the toolset used and move to using stealthier tactics focused on persistent compromise and long - term intelligence gathering '

APT 29 is also known as:

  • Dukes

  • Group 100

  • Cozy Duke

  • CozyDuke

  • EuroAPT

  • CozyBear

  • CozyCar

  • Cozer

  • Office Monkeys

  • OfficeMonkeys

  • APT29

  • Cozy Bear

  • The Dukes

  • Minidionis

  • SeaDuke

Table 687. Table References

Links

https://labsblog.f-secure.com/2015/09/17/the-dukes-7-years-of-russian-cyber-espionage/

Turla Group

A 2014 Guardian article described Turla as: 'Dubbed the Turla hackers, initial intelligence had indicated western powers were key targets, but it was later determined embassies for Eastern Bloc nations were of more interest. Embassies in Belgium, Ukraine, China, Jordan, Greece, Kazakhstan, Armenia, Poland, and Germany were all attacked, though researchers from Kaspersky Lab and Symantec could not confirm which countries were the true targets. In one case from May 2012, the office of the prime minister of a former Soviet Union member country was infected, leading to 60 further computers being affected, Symantec researchers said. There were some other victims, including the ministry for health of a Western European country, the ministry for education of a Central American country, a state electricity provider in the Middle East and a medical organisation in the US, according to Symantec. It is believed the group was also responsible for a much - documented 2008 attack on the US Central Command. The attackers - who continue to operate - have ostensibly sought to carry out surveillance on targets and pilfer data, though their use of encryption across their networks has made it difficult to ascertain exactly what the hackers took.Kaspersky Lab, however, picked up a number of the attackers searches through their victims emails, which included terms such as Nato and EU energy dialogue Though attribution is difficult to substantiate, Russia has previously been suspected of carrying out the attacks and Symantecs Gavin O’ Gorman told the Guardian a number of the hackers appeared to be using Russian names and language in their notes for their malicious code. Cyrillic was also seen in use.'

Turla Group is also known as:

  • Turla

  • Snake

  • Venomous Bear

  • Group 88

  • Waterbug

  • WRAITH

  • Turla Team

  • Uroburos

  • Pfinet

  • TAG_0530

  • KRYPTON

  • Hippo Team

Table 688. Table References

Links

https://www.first.org/resources/papers/tbilisi2014/turla-operations_and_development.pdf

https://www.circl.lu/pub/tr-25/

https://www.theguardian.com/technology/2014/aug/07/turla-hackers-spying-governments-researcher-kaspersky-symantec

Energetic Bear

A Russian group that collects intelligence on the energy industry.

Energetic Bear is also known as:

  • Dragonfly

  • Crouching Yeti

  • Group 24

  • Havex

  • CrouchingYeti

  • Koala Team

Table 689. Table References

Links

http://www.scmagazineuk.com/iran-and-russia-blamed-for-state-sponsored-espionage/article/330401/

Sandworm

Sandworm is also known as:

  • Sandworm Team

  • Black Energy

  • BlackEnergy

  • Quedagh

  • Voodoo Bear

Table 690. Table References

Links

http://www.isightpartners.com/2014/10/cve-2014-4114/

TeleBots

We will refer to the gang behind the malware as TeleBots. However it’s important to say that these attackers, and the toolset used, share a number of similarities with the BlackEnergy group, which conducted attacks against the energy industry in Ukraine in December 2015 and January 2016. In fact, we think that the BlackEnergy group has evolved into the TeleBots group.

Table 691. Table References

Links

http://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/

Anunak

Groups targeting financial organizations or people with significant financial assets.

Anunak is also known as:

  • Carbanak

  • Carbon Spider

Table 692. Table References

Links

https://en.wikipedia.org/wiki/Carbanak

TeamSpy Crew

TeamSpy Crew is also known as:

  • TeamSpy

  • Team Bear

  • Berserk Bear

Table 693. Table References

Links

https://securelist.com/blog/incidents/35520/the-teamspy-crew-attacks-abusing-teamviewer-for-cyberespionage-8/

Wolf Spider

Wolf Spider is also known as:

  • FIN4

Boulder Bear

First observed activity in December 2013.

Shark Spider

This group’s activity was first observed in November 2013. It leverages a banking Trojan more commonly known as Shylock which aims to compromise online banking credentials and credentials related to Bitcoin wallets.

Silent Chollima

Silent Chollima is also known as:

  • OperationTroy

  • Guardian of Peace

  • GOP

  • WHOis Team

Table 696. Table References

Links

http://www.rsaconference.com/writable/presentations/file_upload/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries_final.pdf

Lazarus Group

Since 2009, HIDDEN COBRA actors have leveraged their capabilities to target and compromise a range of victims; some intrusions have resulted in the exfiltration of data while others have been disruptive in nature. Commercial reporting has referred to this activity as Lazarus Group and Guardians of Peace. Tools and capabilities used by HIDDEN COBRA actors include DDoS botnets, keyloggers, remote access tools (RATs), and wiper malware. Variants of malware and tools used by HIDDEN COBRA actors include Destover, Duuzer, and Hangman.

Lazarus Group is also known as:

  • Operation DarkSeoul

  • Hidden Cobra

Table 697. Table References

Links

https://threatpost.com/operation-blockbuster-coalition-ties-destructive-attacks-to-lazarus-group/116422/

https://www.us-cert.gov/ncas/alerts/TA17-164A

Viceroy Tiger

Viceroy Tiger is also known as:

  • Appin

  • OperationHangover

Table 698. Table References

Links

http://enterprise-manage.norman.c.bitbit.net/resources/files/Unveiling_an_Indian_Cyberattack_Infrastructure.pdf

Pizzo Spider

Pizzo Spider is also known as:

  • DD4BC

  • Ambiorx

Corsair Jackal

Corsair Jackal is also known as:

  • TunisianCyberArmy

SNOWGLOBE

In 2014, researchers at Kaspersky Lab discovered and reported on three zero-days that were being used in cyberattacks in the wild. Two of these zero-day vulnerabilities are associated with an advanced threat actor we call Animal Farm. Over the past few years, Animal Farm has targeted a wide range of global organizations. The group has been active since at least 2009 and there are signs that earlier malware versions were developed as far back as 2007.

SNOWGLOBE is also known as:

  • Animal Farm

Table 699. Table References

Links

https://securelist.com/blog/research/69114/animals-in-the-apt-farm/

Deadeye Jackal

The Syrian Electronic Army (SEA) is a group of computer hackers which first surfaced online in 2011 to support the government of Syrian President Bashar al-Assad. Using spamming, website defacement, malware, phishing, and denial of service attacks, it has targeted political opposition groups, western news organizations, human rights groups and websites that are seemingly neutral to the Syrian conflict. It has also hacked government websites in the Middle East and Europe, as well as US defense contractors. As of 2011 the SEA has been the first Arab country to have a public Internet Army hosted on its national networks to openly launch cyber attacks on its enemies. The precise nature of SEA’s relationship with the Syrian government has changed over time and is unclear

Deadeye Jackal is also known as:

  • SyrianElectronicArmy

  • SEA

Table 700. Table References

Links

https://en.wikipedia.org/wiki/Syrian_Electronic_Army

Operation C-Major

Group targeting Indian Army or related assets in India. Attribution to a Pakistani connection has been made by TrendMicro.

Operation C-Major is also known as:

  • C-Major

Table 701. Table References

Links

http://documents.trendmicro.com/assets/pdf/Indian-military-personnel-targeted-by-information-theft-campaign-cmajor.pdf

Stealth Falcon

Group targeting Emirati journalists, activists, and dissidents.

Stealth Falcon is also known as:

  • FruityArmor

Table 702. Table References

Links

https://citizenlab.org/2016/05/stealth-falcon/

ScarCruft

ScarCruft is a relatively new APT group; victims have been observed in several countries, including Russia, Nepal, South Korea, China, India, Kuwait and Romania. The group has several ongoing operations utilizing multiple exploits — two for Adobe Flash and one for Microsoft Internet Explorer.

ScarCruft is also known as:

  • Operation Daybreak

  • Operation Erebus

Table 703. Table References

Links

https://securelist.com/blog/research/75082/cve-2016-4171-adobe-flash-zero-day-used-in-targeted-attacks/

Pacifier APT

Bitdefender detected and blocked an ongoing cyber-espionage campaign against Romanian institutions and other foreign targets. The attacks started in 2014, with the latest reported occurrences in May of 2016. The APT, dubbed Pacifier by Bitdefender researchers, makes use of malicious .doc documents and .zip files distributed via spear phishing e-mail.

Pacifier APT is also known as:

  • Skipper

  • Popeye

Table 704. Table References

Links

http://download.bitdefender.com/resources/files/News/CaseStudies/study/115/Bitdefender-Whitepaper-PAC-A4-en-EN1.pdf

HummingBad

This group created a malware that takes over Android devices and generates $300,000 per month in fraudulent ad revenue. The group effectively controls an arsenal of over 85 million mobile devices around the world. With the potential to sell access to these devices to the highest bidder

Table 705. Table References

Links

http://blog.checkpoint.com/wp-content/uploads/2016/07/HummingBad-Research-report_FINAL-62916.pdf

Dropping Elephant

Dropping Elephant (also known as “Chinastrats” and “Patchwork“) is a relatively new threat actor that is targeting a variety of high profile diplomatic and economic targets using a custom set of attack tools. Its victims are all involved with China’s foreign relations in some way, and are generally caught through spear-phishing or watering hole attacks.

Dropping Elephant is also known as:

  • Chinastrats

  • Patchwork

  • Monsoon

  • Sarit

Table 706. Table References

Links

https://securelist.com/blog/research/75328/the-dropping-elephant-actor/

http://www.symantec.com/connect/blogs/patchwork-cyberespionage-group-expands-targets-governments-wide-range-industries

Operation Transparent Tribe

Proofpoint researchers recently uncovered evidence of an advanced persistent threat (APT) against Indian diplomatic and military resources. Our investigation began with malicious emails sent to Indian embassies in Saudi Arabia and Kazakstan but turned up connections to watering hole sites focused on Indian military personnel and designed to drop a remote access Trojan (RAT) with a variety of data exfiltration functions.

Table 707. Table References

Links

https://www.proofpoint.com/sites/default/files/proofpoint-operation-transparent-tribe-threat-insight-en.pdf

Scarlet Mimic

Scarlet Mimic is a threat group that has targeted minority rights activists. This group has not been directly linked to a government source, but the group’s motivations appear to overlap with those of the Chinese government. While there is some overlap between IP addresses used by Scarlet Mimic and Putter Panda, it has not been concluded that the groups are the same.

Table 708. Table References

Links

https://attack.mitre.org/wiki/Groups

http://researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/

Poseidon Group

Poseidon Group is a Portuguese-speaking threat group that has been active since at least 2005. The group has a history of using information exfiltrated from victims to blackmail victim companies into contracting the Poseidon Group as a security firm.

Table 709. Table References

Links

https://securelist.com/blog/research/73673/poseidon-group-a-targeted-attack-boutique-specializing-in-global-cyber-espionage/

https://attack.mitre.org/wiki/Groups

DragonOK

Threat group that has targeted Japanese organizations with phishing emails. Due to overlapping TTPs, including similar custom tools, DragonOK is thought to have a direct or indirect relationship with the threat group Moafee. 2223 It is known to use a variety of malware, including Sysget/HelloBridge, PlugX, PoisonIvy, FormerFirstRat, NFlog, and NewCT.

DragonOK is also known as:

  • Moafee

Table 710. Table References

Links

https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-operation-quantum-entanglement.pdf

https://attack.mitre.org/wiki/Groups

Threat Group-3390

Chinese threat group that has extensively used strategic Web compromises to target victims.

Threat Group-3390 is also known as:

  • TG-3390

  • Emissary Panda

Table 711. Table References

Links

http://www.secureworks.com/cyber-threat-intelligence/threats/threat-group-3390-targets-organizations-for-cyberespionage/

https://attack.mitre.org

ProjectSauron

ProjectSauron is the name for a top level modular cyber-espionage platform, designed to enable and manage long-term campaigns through stealthy survival mechanisms coupled with multiple exfiltration methods. Technical details show how attackers learned from other extremely advanced actors in order to avoid repeating their mistakes. As such, all artifacts are customized per given target, reducing their value as indicators of compromise for any other victim. Usually APT campaigns have a geographical nexus, aimed at extracting information within a specific region or from a given industry. That usually results in several infections in countries within that region, or in the targeted industry around the world. Interestingly, ProjectSauron seems to be dedicated to just a couple of countries, focused on collecting high value intelligence by compromising almost all key entities it could possibly reach within the target area. The name, ProjectSauron reflects the fact that the code authors refer to ‘Sauron’ in the Lua scripts.

ProjectSauron is also known as:

  • Strider

  • Sauron

Table 712. Table References

Links

https://securelist.com/analysis/publications/75533/faq-the-projectsauron-apt/

APT 30

APT 30 is a threat group suspected to be associated with the Chinese government. While Naikon shares some characteristics with APT30, the two groups do not appear to be exact matches.

APT 30 is also known as:

  • APT30

Table 713. Table References

Links

https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf

https://attack.mitre.org/wiki/Group/G0013

TA530

TA530, who we previously examined in relation to large-scale personalized phishing campaigns

GCMAN

GCMAN is a threat group that focuses on targeting banks for the purpose of transferring money to e-currency services.

Table 714. Table References

Links

https://securelist.com/blog/research/73638/apt-style-bank-robberies-increase-with-metel-gcman-and-carbanak-2-0-attacks/

Suckfly

Suckfly is a China-based threat group that has been active since at least 2014

Table 715. Table References

Links

http://www.symantec.com/connect/blogs/suckfly-revealing-secret-life-your-code-signing-certificates

FIN6

FIN is a group targeting financial assets including assets able to do financial transaction including PoS.

Table 716. Table References

Links

https://www2.fireeye.com/rs/848-DID-242/images/rpt-fin6.pdf

Libyan Scorpions

Libyan Scorpions is a malware operation in use since September 2015 and operated by a politically motivated group whose main objective is intelligence gathering, spying on influentials and political figures and operate an espionage campaign within Libya.

TeamXRat

TeamXRat is also known as:

  • CorporacaoXRat

  • CorporationXRat

Table 717. Table References

Links

https://securelist.com/blog/research/76153/teamxrat-brazilian-cybercrime-meets-ransomware/

OilRig

Iranian threat agent OilRig has been targeting multiple organisations in Israel and other countries in the Middle East since the end of 2015.

Table 718. Table References

Links

http://researchcenter.paloaltonetworks.com/2016/05/the-oilrig-campaign-attacks-on-saudi-arabian-organizations-deliver-helminth-backdoor/

Volatile Cedar

Beginning in late 2012, a carefully orchestrated attack campaign we call Volatile Cedar has been targeting individuals, companies and institutions worldwide. This campaign, led by a persistent attacker group, has successfully penetrated a large number of targets using various attack techniques, and specifically, a custom-made malware implant codenamed Explosive .

Table 719. Table References

Links

https://www.checkpoint.com/downloads/volatile-cedar-technical-report.pdf

Malware reusers

Threat Group conducting cyber espionage while re-using tools from other teams; like those of Hacking Team, and vmprotect to obfuscate.

Malware reusers is also known as:

  • Reuse team

  • Dancing Salome

TERBIUM

Microsoft Threat Intelligence identified similarities between this recent attack and previous 2012 attacks against tens of thousands of computers belonging to organizations in the energy sector. Microsoft Threat Intelligence refers to the activity group behind these attacks as TERBIUM, following our internal practice of assigning rogue actors chemical element names.

Table 720. Table References

Links

https://blogs.technet.microsoft.com/mmpc/2016/12/09/windows-10-protection-detection-and-response-against-recent-attacks/

Molerats

In October 2012, malware attacks against Israeli government targets grabbed media attention as officials temporarily cut off Internet access for its entire police force and banned the use of USB memory sticks. Security researchers subsequently linked these attacks to a broader, yearlong campaign that targeted not just Israelis but Palestinians as well. and as discovered later, even the U.S. and UK governments. Further research revealed a connection between these attacks and members of the so-called “Gaza Hackers Team.” We refer to this campaign as “Molerats.”

Molerats is also known as:

  • Gaza Hackers Team

  • Operation Molerats

  • Extreme Jackal

  • Moonlight

Table 721. Table References

Links

https://www.fireeye.com/blog/threat-research/2013/08/operation-molerats-middle-east-cyber-attacks-using-poison-ivy.html

http://blog.vectranetworks.com/blog/moonlight-middle-east-targeted-attacks

PROMETHIUM

PROMETHIUM is an activity group that has been active as early as 2012. The group primarily uses Truvasys, a first-stage malware that has been in circulation for several years. Truvasys has been involved in several attack campaigns, where it has masqueraded as one of server common computer utilities, including WinUtils, TrueCrypt, WinRAR, or SanDisk. In each of the campaigns, Truvasys malware evolved with additional features—this shows a close relationship between the activity groups behind the campaigns and the developers of the malware.

PROMETHIUM is also known as:

  • StrongPity

Table 722. Table References

Links

https://blogs.technet.microsoft.com/mmpc/2016/12/14/twin-zero-day-attacks-promethium-and-neodymium-target-individuals-in-europe/

https://www.virusbulletin.com/conference/vb2016/abstracts/last-minute-paper-strongpity-waterhole-attacks-targeting-italian-and-belgian-encryption-users

NEODYMIUM

NEODYMIUM is an activity group that is known to use a backdoor malware detected by Microsoft as Wingbird. This backdoor’s characteristics closely match FinFisher, a government-grade commercial surveillance package. Data about Wingbird activity indicate that it is typically used to attack individual computers instead of networks.

Table 723. Table References

Links

https://blogs.technet.microsoft.com/mmpc/2016/12/14/twin-zero-day-attacks-promethium-and-neodymium-target-individuals-in-europe/

Packrat

A threat group that has been active for at least seven years has used malware, phishing and disinformation tactics to target activists, journalists, politicians and public figures in various Latin American countries. The threat actor, dubbed Packrat based on its preference for remote access Trojans (RATs) and because it has used the same infrastructure for several years, has been analyzed by Citizen Lab researchers John Scott-Railton, Morgan Marquis-Boire, and Claudio Guarnieri, and Cyphort researcher Marion Marschalek, best known for her extensive analysis of state-sponsored threats.

Table 724. Table References

Links

https://citizenlab.org/2015/12/packrat-report/

Cadelle

Symantec telemetry identified Cadelle and Chafer activity dating from as far back as July 2014, however, it’s likely that activity began well before this date. Command-and-control (C&C) registrant information points to activity possibly as early as 2011, while executable compilation times suggest early 2012. Their attacks continue to the present day. Symantec estimates that each team is made up of between 5 and 10 people.

Table 725. Table References

Links

https://www.symantec.com/connect/blogs/iran-based-attackers-use-back-door-threats-spy-middle-eastern-targets

Chafer

Symantec telemetry identified Cadelle and Chafer activity dating from as far back as July 2014, however, it’s likely that activity began well before this date. Command-and-control (C&C) registrant information points to activity possibly as early as 2011, while executable compilation times suggest early 2012. Their attacks continue to the present day. Symantec estimates that each team is made up of between 5 and 10 people.

Table 726. Table References

Links

https://www.symantec.com/connect/blogs/iran-based-attackers-use-back-door-threats-spy-middle-eastern-targets

PassCV

The PassCV group continues to be one of the most successful and active threat groups that leverage a wide array of stolen Authenticode-signing certificates. Snorre Fagerland of Blue Coat Systems first coined the term PassCV in a blog post. His post provides a good introduction to the group and covers some of the older infrastructure, stolen code-signing certificate reuse, and other connections associated with the PassCV malware. There are several clues alluding to the possibility that multiple groups may be utilizing the same stolen signing certificates, but at this time SPEAR believes the current attacks are more likely being perpetrated by a single group employing multiple publicly available Remote Administration Tools (RATs). The PassCV group has been operating with continued success and has already started to expand their malware repertoire into different off-the-shelf RATs and custom code. SPEAR identified eighteen previously undisclosed stolen Authenticode certificates. These certificates were originally issued to companies and individuals scattered across China, Taiwan, Korea, Europe, the United States and Russia. In this post we expand the usage of the term ‘PassCV’ to encompass the malware mentioned in the Blue Coat Systems report, as well as the APT group behind the larger C2 infrastructure and stolen Authenticode certificates. We’d like to share some of our findings as they pertain to the stolen certificates, command and control infrastructure, and some of the newer custom RATs they’ve begun development on.

Table 727. Table References

Links

https://blog.cylance.com/digitally-signed-malware-targeting-gaming-companies

Sath-ı Müdafaa

A Turkish hacking group, Sath-ı Müdafaa, is encouraging individuals to join its DDoS-for-Points platform that features points and prizes for carrying out distributed denial-of-service (DDoS) attacks against a list of predetermined targets. Their DDoS tool also contains a backdoor to hack the hackers. So the overarching motivation and allegiance of the group is not entirely clear.

Aslan Neferler Tim

Turkish nationalist hacktivist group that has been active for roughly one year. According to Domaintools, the group’s site has been registered since December 2015, with an active Twitter account since January 2016. The group carries out distributed denial-of-service (DDoS) attacks and defacements against the sites of news organizations and governments perceived to be critical of Turkey’s policies or leadership, and purports to act in defense of Islam

Aslan Neferler Tim is also known as:

  • Lion Soldiers Team

  • Phantom Turk

Ayyıldız Tim

Ayyıldız (Crescent and Star) Tim is a nationalist hacking group founded in 2002. It performs defacements and DDoS attacks against the websites of governments that it considers to be repressing Muslim minorities or engaged in Islamophobic policies.

Ayyıldız Tim is also known as:

  • Crescent and Star

TurkHackTeam

Founded in 2004, Turkhackteam is one of Turkey’s oldest and most high-profile hacking collectives. According to a list compiled on Turkhackteam’s forum, the group has carried out almost 30 highly publicized hacking campaigns targeting foreign government and commercial websites, including websites of international corporations.

TurkHackTeam is also known as:

  • Turk Hack Team

Equation Group

The Equation Group is a highly sophisticated threat actor described by its discoverers at Kaspersky Labs as one of the most sophisticated cyber attack groups in the world, operating alongside but always from a position of superiority with the creators of Stuxnet and Flame

Table 728. Table References

Links

https://en.wikipedia.org/wiki/Equation_Group

Greenbug

Greenbug was discovered targeting a range of organizations in the Middle East including companies in the aviation, energy, government, investment, and education sectors.

Table 729. Table References

Links

https://www.symantec.com/connect/blogs/greenbug-cyberespionage-group-targeting-middle-east-possible-links-shamoon

Gamaredon Group

Unit 42 threat researchers have recently observed a threat group distributing new, custom developed malware. We have labelled this threat group the Gamaredon Group and our research shows that the Gamaredon Group has been active since at least 2013. In the past, the Gamaredon Group has relied heavily on off-the-shelf tools. Our new research shows the Gamaredon Group have made a shift to custom-developed malware. We believe this shift indicates the Gamaredon Group have improved their technical capabilities.

Table 730. Table References

Links

http://researchcenter.paloaltonetworks.com/2017/02/unit-42-title-gamaredon-group-toolset-evolution

Hammer Panda

Hammer Panda is a group of suspected Chinese origin targeting organisations in Russia.

Hammer Panda is also known as:

  • Zhenbao

Table 731. Table References

Links

http://www.darkreading.com/endpoint/chinese-cyberspies-pivot-to-russia-in-wake-of-obama-xi-pact/d/d-id/1324242

Infy

Infy is a group of suspected Iranian origin.

Infy is also known as:

  • Operation Mermaid

Table 733. Table References

Links

https://www.blackhat.com/docs/us-16/materials/us-16-Guarnieri-Iran-And-The-Soft-War-For-Internet-Dominance-wp.pdf

Sima

Sima is a group of suspected Iranian origin targeting Iranians in diaspora.

Table 734. Table References

Links

https://www.blackhat.com/docs/us-16/materials/us-16-Guarnieri-Iran-And-The-Soft-War-For-Internet-Dominance-wp.pdf

Blue Termite

Blue Termite is a group of suspected Chinese origin active in Japan.

Blue Termite is also known as:

  • Cloudy Omega

Table 735. Table References

Links

https://securelist.com/blog/research/71876/new-activity-of-the-blue-termite-apt/

Groundbait

Groundbait is a group targeting anti-government separatists in the self-declared Donetsk and Luhansk People’s Republics.

Table 736. Table References

Links

http://www.welivesecurity.com/2016/05/18/groundbait

Longhorn

Longhorn has been active since at least 2011. It has used a range of back door Trojans in addition to zero-day vulnerabilities to compromise its targets. Longhorn has infiltrated governments and internationally operating organizations, in addition to targets in the financial, telecoms, energy, aerospace, information technology, education, and natural resources sectors. All of the organizations targeted would be of interest to a nation-state attacker. Longhorn has infected 40 targets in at least 16 countries across the Middle East, Europe, Asia, and Africa. On one occasion a computer in the United States was compromised but, following infection, an uninstaller was launched within hours, which may indicate this victim was infected unintentionally.

Table 737. Table References

Links

https://www.symantec.com/connect/blogs/longhorn-tools-used-cyberespionage-group-linked-vault-7

Callisto

The Callisto Group is an advanced threat actor whose known targets include military personnel, government officials, think tanks, and journalists in Europe and the South Caucasus. Their primary interest appears to be gathering intelligence related to foreign and security policy in the Eastern Europe and South Caucasus regions.

Table 738. Table References

Links

https://www.f-secure.com/documents/996508/1030745/callisto-group

APT32

Cyber espionage actors, now designated by FireEye as APT32 (OceanLotus Group), are carrying out intrusions into private sector companies across multiple industries and have also targeted foreign governments, dissidents, and journalists. FireEye assesses that APT32 leverages a unique suite of fully-featured malware, in conjunction with commercially-available tools, to conduct targeted operations that are aligned with Vietnamese state interests.

APT32 is also known as:

  • OceanLotus Group

  • Ocean Lotus

  • APT-32

  • APT 32

Table 739. Table References

Links

https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html

SilverTerrier

As these tools rise and fall in popularity (and more importantly, as detection rates by antivirus vendors improve), SilverTerrier actors have consistently adopted new malware families and shifted to the latest packing tools available.

Table 740. Table References

Links

https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/silverterrier-next-evolution-in-nigerian-cybercrime.pdf

WildNeutron

A corporate espionage group has compromised a string of major corporations over the past three years in order to steal confidential information and intellectual property. The gang, which Symantec calls Butterfly, is not-state sponsored, rather financially motivated. It has attacked multi-billion dollar companies operating in the internet, IT software, pharmaceutical, and commodities sectors. Twitter, Facebook, Apple, and Microsoft are among the companies who have publicly acknowledged attacks.

WildNeutron is also known as:

  • Butterfly

  • Morpho

  • Sphinx Moth

Table 741. Table References

Links

https://www.symantec.com/connect/blogs/butterfly-profiting-high-level-corporate-attacks

https://securelist.com/71275/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/

https://research.kudelskisecurity.com/2015/11/05/sphinx-moth-expanding-our-knowledge-of-the-wild-neutron-morpho-apt/

PLATINUM

PLATINUM has been targeting its victims since at least as early as 2009, and may have been active for several years prior. Its activities are distinctly different not only from those typically seen in untargeted attacks, but from many targeted attacks as well. A large share of targeted attacks can be characterized as opportunistic: the activity group changes its target profiles and attack geographies based on geopolitical seasons, and may attack institutions all over the world. Like many such groups, PLATINUM seeks to steal sensitive intellectual property related to government interests, but its range of preferred targets is consistently limited to specific governmental organizations, defense institutes, intelligence agencies, diplomatic institutions, and telecommunication providers in South and Southeast Asia. The group’s persistent use of spear phishing tactics (phishing attempts aimed at specific individuals) and access to previously undiscovered zero-day exploits have made it a highly resilient threat.

Table 742. Table References

Links

http://download.microsoft.com/download/2/2/5/225BFE3E-E1DE-4F5B-A77B-71200928D209/Platinum%20feature%20article%20-%20Targeted%20attacks%20in%20South%20and%20Southeast%20Asia%20April%202016.pdf

https://blogs.technet.microsoft.com/mmpc/2016/04/26/digging-deep-for-platinum/

ELECTRUM

Dragos, Inc. tracks the adversary group behind CRASHOVERRIDE as ELECTRUM and assesses with high confidence through confidential sources that ELECTRUM has direct ties to the Sandworm team. Our intelligence ICS WorldView customers have received a comprehensive report and this industry report will not get into sensitive technical details but instead focus on information needed for defense and impact awareness.

Table 743. Table References

Links

https://dragos.com/blog/crashoverride/CrashOverride-01.pdf

https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf

FIN8

FIN8 is a financially motivated group targeting the retail, hospitality and entertainment industries. The actor had previously conducted several tailored spearphishing campaigns using the downloader PUNCHBUGGY and POS malware PUNCHTRACK.

Table 744. Table References

Links

https://www.fireeye.com/blog/threat-research/2016/05/windows-zero-day-payment-cards.html

https://www2.fireeye.com/WBNR-Know-Your-Enemy-UNC622-Spear-Phishing.html

https://www.root9b.com/sites/default/files/whitepapers/PoS%20Malware%20ShellTea%20PoSlurp.pdf

http://files.shareholder.com/downloads/AMDA-254Q5F/0x0x938351/665BA6A3-9573-486C-B96F-80FA35759E8C/FEYE_rpt-mtrends-2017_FINAL2.pdf

Tool

threat-actor-tools is an enumeration of tools used by adversaries. The list includes malware but also common software regularly used by the adversaries..

Tool is a cluster galaxy available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.
authors

Alexandre Dulaunoy - Florian Roth - Timo Steffens - Christophe Vandeplas

Tinba

Banking Malware

Tinba is also known as:

  • Hunter

  • Zusy

  • TinyBanker

Table 745. Table References

Links

https://thehackernews.com/search/label/Zusy%20Malware

http://blog.trendmicro.com/trendlabs-security-intelligence/the-tinbatinybanker-malware/

PlugX

Malware

PlugX is also known as:

  • Backdoor.FSZO-5117

  • Trojan.Heur.JP.juW@ayZZvMb

  • Trojan.Inject1.6386

  • Korplug

  • Agent.dhwf

Table 746. Table References

Links

https://www.trendmicro.com/vinfo/us/threat-encyclopedia/web-attack/112/pulling-the-plug-on-plugx

MSUpdater

Trojan (RAT) linked to current targeted attacks and others dating back to at least early 2009
Table 747. Table References

Links

https://www.zscaler.com/pdf/whitepapers/msupdater_trojan_whitepaper.pdfx

Lazagne

A password sthealing tool regularly used by attackers

Table 748. Table References

Links

https://github.com/AlessandroZ/LaZagne

Poison Ivy

Poison Ivy is a RAT which was freely available and first released in 2005.

Poison Ivy is also known as:

  • Backdoor.Win32.PoisonIvy

  • Gen:Trojan.Heur.PT

Table 749. Table References

Links

https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-poison-ivy.pdf

https://www.f-secure.com/v-descs/backdoor_w32_poisonivy.shtml

SPIVY

In March 2016, Unit 42 observed this new Poison Ivy variant we’ve named SPIVY being deployed via weaponized documents leveraging CVE-2015-2545.

Table 750. Table References

Links

http://researchcenter.paloaltonetworks.com/2016/04/unit42-new-poison-ivy-rat-variant-targets-hong-kong-pro-democracy-activists/

Torn RAT

Torn RAT is also known as:

  • Anchor Panda

Table 751. Table References

Links

https://www.crowdstrike.com/blog/whois-anchor-panda/

OzoneRAT

OzoneRAT is also known as:

  • Ozone RAT

  • ozonercp

Table 752. Table References

Links

https://blog.fortinet.com/2016/08/29/german-speakers-targeted-by-spam-leading-to-ozone-rat

ZeGhost

ZeGhots is a RAT which was freely available and first released in 2014.

ZeGhost is also known as:

  • BackDoor-FBZT!52D84425CDF2

  • Trojan.Win32.Staser.ytq

  • Win32/Zegost.BW

Table 753. Table References

Links

https://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Backdoor%3aWin32%2fZegost.BW

Elise Backdoor

Trojan (RAT) linked to current targeted attacks and others dating back to at least early 2009

Elise Backdoor is also known as:

  • Elise

Table 754. Table References

Links

http://thehackernews.com/2015/08/elise-malware-hacking.html

Trojan.Laziok

A new information stealer, Trojan.Laziok, acts as a reconnaissance tool allowing attackers to gather information and tailor their attack methods for each compromised computer.

Trojan.Laziok is also known as:

  • Laziok

Table 755. Table References

Links

http://www.symantec.com/connect/blogs/new-reconnaissance-threat-trojanlaziok-targets-energy-sector

Slempo

Android-based malware

Slempo is also known as:

  • GM-Bot

  • SlemBunk

  • Bankosy

  • Acecard

Table 756. Table References

Links

https://securityintelligence.com/android-malware-about-to-get-worse-gm-bot-source-code-leaked/

PWOBot

We have discovered a malware family named ‘PWOBot’ that is fairly unique because it is written entirely in Python, and compiled via PyInstaller to generate a Microsoft Windows executable. The malware has been witnessed affecting a number of Europe-based organizations, particularly in Poland. Additionally, the malware is delivered via a popular Polish file-sharing web service.

PWOBot is also known as:

  • PWOLauncher

  • PWOHTTPD

  • PWOKeyLogger

  • PWOMiner

  • PWOPyExec

  • PWOQuery

Table 757. Table References

Links

http://researchcenter.paloaltonetworks.com/2016/04/unit42-python-based-pwobot-targets-european-organizations/

Lost Door RAT

We recently came across a cyber attack that used a remote access Trojan (RAT) called Lost Door, a tool currently offered on social media sites. What also struck us the most about this RAT (detected as BKDR_LODORAT.A) is how it abuses the Port Forward feature in routers.

Lost Door RAT is also known as:

  • LostDoor RAT

  • BKDR_LODORAT

Table 758. Table References

Links

http://blog.trendmicro.com/trendlabs-security-intelligence/lost-door-rat-accessible-customizable-attack-tool/

NanoCoreRAT

NanoCoreRAT is also known as:

  • NanoCore

  • Nancrat

  • Zurten

  • Atros2.CKPN

Table 760. Table References

Links

http://www.symantec.com/connect/blogs/nanocore-another-rat-tries-make-it-out-gutter

https://nanocore.io/

Sakula

Sakula is also known as:

  • Sakurel

Table 761. Table References

Links

https://www.secureworks.com/research/sakula-malware-family

Trojan.Naid

Trojan.Naid is also known as:

  • Naid

  • Mdmbot.E

  • AGENT.GUNZ

  • AGENT.AQUP.DROPPER

  • AGENT.BMZA

  • MCRAT.A

  • AGENT.ABQMR

Table 765. Table References

Links

https://www.symantec.com/connect/blogs/cve-2012-1875-exploited-wild-part-1-trojannaid

http://telussecuritylabs.com/threats/show/TSL20120614-05

Moudoor

Backdoor.Moudoor, a customized version of Gh0st RAT

Moudoor is also known as:

  • SCAR

  • KillProc.14145

Table 766. Table References

Links

http://www.darkreading.com/attacks-breaches/elite-chinese-cyberspy-group-behind-bit9-hack/d/d-id/1140495

https://securityledger.com/2013/09/apt-for-hire-symantec-outs-hidden-lynx-hacking-crew/

NetTraveler

APT that infected hundreds of high profile victims in more than 40 countries. Known targets of NetTraveler include Tibetan/Uyghur activists, oil industry companies, scientific research centers and institutes, universities, private companies, governments and governmental institutions, embassies and military contractors.

NetTraveler is also known as:

  • TravNet

  • Netfile

Table 767. Table References

Links

https://securelist.com/blog/incidents/57455/nettraveler-is-back-the-red-star-apt-returns-with-new-tricks/

Winnti

APT used As part of Operation SMN, Novetta analyzed recent versions of the Winnti malware. The samples, compiled from mid- to late 2014, exhibited minimal functional changes over the previous generations Kaspersky reported in 2013.

Winnti is also known as:

  • Etso

  • SUQ

  • Agent.ALQHI

Table 768. Table References

Links

https://securelist.com/blog/incidents/57455/nettraveler-is-back-the-red-star-apt-returns-with-new-tricks/

Mimikatz

Ease Credential stealh and replay, A little tool to play with Windows security.

Mimikatz is also known as:

  • Mikatz

Table 769. Table References

Links

https://github.com/gentilkiwi/mimikatz

Pirpi

Symantec has observed Buckeye activity dating back to 2009, involving attacks on various organizations in several regions. Buckeye used a remote access Trojan (Backdoor.Pirpi) in attacks against a US organization’s network in 2009. The group delivered Backdoor.Pirpi through malicious attachments or links in convincing spear-phishing emails.

Pirpi is also known as:

  • Badey

  • EXL

Table 771. Table References

Links

http://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong

RARSTONE

RARSTONE is a Remote Access Tool (RAT) discovered early 2013 by TrendMicro, it’s characterized by a great affinity with the other RAT know as Plug is and was used in April for phishing campaigns that followed the dramatic attack to the Boston Marathon.

Table 772. Table References

Links

http://blog.trendmicro.com/trendlabs-security-intelligence/bkdr_rarstone-new-rat-to-watch-out-for/

Backspace

Backspace is a Backdoor that targets the Windows platform. This malware is reportedly associated with targeted attacks against Association of Southeast Asian Nations (ASEAN) members (APT30).

Backspace is also known as:

  • Lecna

Table 773. Table References

Links

https://www2.fireeye.com/WEB-2015RPTAPT30.html

https://www.fireeye.com/content/dam/fireeye-www/current-threats/pdfs/rpt-southeast-asia-threat-landscape.pdf

Neteagle

NETEAGLE is a backdoor developed by APT30 with compile dates as early as 2008. It has two main variants known as Scout and Norton.

Neteagle is also known as:

  • scout

  • norton

Table 775. Table References

Links

https://attack.mitre.org/wiki/Software/S0034

https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf

Agent.BTZ

In November 2014, the experts of the G DATA SecurityLabs published an article about ComRAT, the Agent.BTZ successor. We explained that this case is linked to the Uroburos rootkit.

Agent.BTZ is also known as:

  • ComRat

Table 776. Table References

Links

https://blog.gdatasoftware.com/2015/01/23927-evolution-of-sophisticated-spyware-from-agent-btz-to-comrat

Heseber BOT

RAT bundle with standard VNC (to avoid/limit A/V detection).

Wipbot

Waterbug is the name given to the actors who use the malware tools Trojan.Wipbot (also known as Tavdig and Epic Turla)

Wipbot is also known as:

  • Tavdig

  • Epic Turla

  • WorldCupSec

  • TadjMakhal

Table 777. Table References

Links

https://securelist.com/analysis/publications/65545/the-epic-turla-operation/

https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/waterbug-attack-group.pdf

Turla

Family of related sophisticated backdoor software - Name comes from Microsoft detection signature – anagram of Ultra (Ultra3) was a name of the fake driver).

Turla is also known as:

  • Snake

  • Uroburos

  • Urouros

Table 778. Table References

Links

https://www.first.org/resources/papers/tbilisi2014/turla-operations_and_development.pdf

Dark Comet

RAT initialy identified in 2011 and still actively used.

Cadelspy

Cadelspy is also known as:

  • WinSpy

DHS2015

DHS2015 is also known as:

  • iRAT

Table 780. Table References

Links

https://securelist.com/files/2015/02/The-Desert-Falcons-targeted-attacks.pdf

Gh0st Rat

Gh0st Rat is a well-known Chinese remote access trojan which was originally made by C.Rufus Security Team several years ago.

Gh0st Rat is also known as:

  • Gh0stRat, GhostRat

Table 781. Table References

Links

http://download01.norman.no/documents/ThemanyfacesofGh0stRat.pdf

Fakem RAT

Fakem RAT makes their network traffic look like well-known protocols (e.g. Messenger traffic, HTML pages).

Fakem RAT is also known as:

  • FAKEM

Table 782. Table References

Links

http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-fakem-rat.pdf

Blackshades

Blackshades Remote Access Tool targets Microsoft Windows operating systems. Authors were arrested in 2012 and 2014.

Table 784. Table References

Links

https://www.justice.gov/usao-sdny/pr/manhattan-us-attorney-and-fbi-assistant-director-charge-announce-charges-connection

https://blog.malwarebytes.org/intelligence/2012/06/you-dirty-rat-part-2-blackshades-net/

CHOPSTICK

backdoor used by apt28

CHOPSTICK is also known as:

  • webhp

  • SPLM

  • (.v2 fysbis)

Table 785. Table References

Links

https://www2.fireeye.com/rs/848-DID-242/images/APT28-Center-of-Storm-2017.pdf

EVILTOSS

backdoor used by apt28

EVILTOSS is also known as:

  • Sedreco

  • AZZY

  • ADVSTORESHELL

  • NETUI

Table 786. Table References

Links

https://www2.fireeye.com/rs/848-DID-242/images/APT28-Center-of-Storm-2017.pdf

GAMEFISH

backdoor

GAMEFISH is also known as:

  • Sednit

  • Seduploader

  • JHUHUGIT

  • Sofacy

Table 787. Table References

Links

https://www2.fireeye.com/rs/848-DID-242/images/APT28-Center-of-Storm-2017.pdf

SOURFACE

downloader - Older version of CORESHELL

SOURFACE is also known as:

  • Sofacy

Table 788. Table References

Links

https://www2.fireeye.com/rs/848-DID-242/images/APT28-Center-of-Storm-2017.pdf

OLDBAIT

credential harvester

OLDBAIT is also known as:

  • Sasfis

  • BackDoor-FDU

  • IEChecker

Table 789. Table References

Links

https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/troj_sasfis.tl

https://www2.fireeye.com/rs/848-DID-242/images/APT28-Center-of-Storm-2017.pdf

CORESHELL

downloader - Newer version of SOURFACE

CORESHELL is also known as:

  • Sofacy

Table 790. Table References

Links

https://www2.fireeye.com/rs/848-DID-242/images/APT28-Center-of-Storm-2017.pdf

Havex RAT

Havex RAT is also known as:

  • Havex

Regin

Regin (also known as Prax or WarriorPride) is a sophisticated malware toolkit revealed by Kaspersky Lab, Symantec, and The Intercept in November 2014. The malware targets specific users of Microsoft Windows-based computers and has been linked to the US intelligence gathering agency NSA and its British counterpart, the GCHQ. The Intercept provided samples of Regin for download including malware discovered at Belgian telecommunications provider, Belgacom. Kaspersky Lab says it first became aware of Regin in spring 2012, but that some of the earliest samples date from 2003. The name Regin is first found on the VirusTotal website on 9 March 2011.

Regin is also known as:

  • Prax

  • WarriorPride

Table 792. Table References

Links

https://en.wikipedia.org/wiki/Regin_(malware)

T5000

T5000 is also known as:

  • Plat1

Table 795. Table References

Links

http://www.cylance.com/techblog/Grand-Theft-Auto-Panda.shtml

NeD Worm

Table 804. Table References

Links

http://www.clearskysec.com/dustysky/

Emotet

Emotet is also known as:

  • Geodo

Table 811. Table References

Links

https://securelist.com/analysis/publications/69560/the-banking-trojan-emotet-detailed-analysis/

Hoardy

Hoardy is also known as:

  • Hoarde

  • Phindolp

  • BS2005

Htran

Table 812. Table References

Links

http://www.secureworks.com/research/threats/htran/

HTTPBrowser

HTTPBrowser is also known as:

  • TokenControl

Table 813. Table References

Links

https://www.threatstream.com/blog/evasive-maneuvers-the-wekby-group-attempts-to-evade-analysis-via-custom-rop

Snifula

Snifula is also known as:

  • Ursnif

Table 814. Table References

Links

https://www.circl.lu/pub/tr-13/

Etumbot

Etumbot is also known as:

  • Exploz

  • Specfix

  • RIPTIDE

Table 818. Table References

Links

www.arbornetworks.com/asert/wp-content/uploads/2014/06/ASERT-Threat-Intelligence-Brief-2014-07-Illuminating-Etumbot-APT.pdf[www.arbornetworks.com/asert/wp-content/uploads/2014/06/ASERT-Threat-Intelligence-Brief-2014-07-Illuminating-Etumbot-APT.pdf]

Fexel

Fexel is also known as:

  • Loneagent

Hancitor

Hancitor is also known as:

  • Tordal

  • Chanitor

  • Pony

Table 821. Table References

Links

https://www.proofpoint.com/us/threat-insight/post/hancitor-ruckguv-reappear

X-Agent

This backdoor component is known to have a modular structure featuring various espionage functionalities, such as key-logging, screen grabbing and file exfiltration. This component is available for Osx, Windows, Linux and iOS operating systems.

X-Agent is also known as:

  • XAgent

Table 828. Table References

Links

http://blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-update-ios-espionage-app-found/

https://app.box.com/s/l7n781ig6n8wlf1aff5hgwbh4qoi5jqq

X-Tunnel

X-Tunnel is also known as:

  • XTunnel

Crimson

Crimson is malware used as part of a campaign known as Operation Transparent Tribe that targeted Indian diplomatic and military victims

Table 833. Table References

Links

https://www.proofpoint.com/sites/default/files/proofpoint-operation-transparent-tribe-threat-insight-en.pdf

Prikormka

Operation Groundbait based on our research into the Prikormka malware family. This includes detailed technical analysis of the Prikormka malware family and its spreading mechanisms, and a description of the most noteworthy attack campaigns.

Table 834. Table References

Links

http://www.welivesecurity.com/wp-content/uploads/2016/05/Operation-Groundbait.pdf

NanHaiShu

This whitepaper details a malicious program we identify as NanHaiShu. Based on our analysis, the threat actor behind this malware targets government and private-sector organizations.

Table 835. Table References

Links

https://www.f-secure.com/documents/996508/1030745/nanhaishu_whitepaper.pdf

Umbreon

Umbreon (sharing the same name as the Pokémon) targets Linux systems, including systems running both Intel and ARM processors, expanding the scope of this threat to include embedded devices as well.

Table 836. Table References

Links

http://blog.trendmicro.com/trendlabs-security-intelligence/pokemon-themed-umbreon-linux-rootkit-hits-x86-arm-systems/

Odinaff

Odinaff is typically deployed in the first stage of an attack, to gain a foothold onto the network, providing a persistent presence and the ability to install additional tools onto the target network. These additional tools bear the hallmarks of a sophisticated attacker which has plagued the financial industry since at least 2013–Carbanak. This new wave of attacks has also used some infrastructure that has previously been used in Carbanak campaigns.

Table 837. Table References

Links

https://www.symantec.com/connect/blogs/odinaff-new-trojan-used-high-level-financial-attacks

Hworm

Unit 42 has observed a new version of Hworm (or Houdini) being used within multiple attacks. This blog outlines technical details of this new Hworm version and documents an attack campaign making use of the backdoor. Of the samples used in this attack, the first we observed were June 2016, while as-of publication we were still seeing attacks as recently as mid-October, suggesting that this is likely an active, ongoing campaign.

Hworm is also known as:

  • Houdini

Table 838. Table References

Links

http://researchcenter.paloaltonetworks.com/2016/10/unit42-houdinis-magic-reappearance/

Backdoor.Dripion

Backdoor.Dripion was custom developed, deployed in a highly targeted fashion, and used command and control servers disguised as antivirus company websites.

Backdoor.Dripion is also known as:

  • Dripion

Table 839. Table References

Links

http://www.symantec.com/connect/blogs/taiwan-targeted-new-cyberespionage-back-door-trojan

Adwind

Adwind is a backdoor written purely in Java that targets system supporting the Java runtime environment. Commands that can be used, among other things, to display messages on the system, open URLs, update the malware, download/execute files, and download/load plugins. A significant amount of additional functionality can be provided through downloadable plugins, including such things as remote control options and shell command execution.

Adwind is also known as:

  • AlienSpy

  • Frutas

  • Unrecom

  • Sockrat

  • JSocket

  • jRat

  • Backdoor:Java/Adwind

Table 840. Table References

Links

https://securelist.com/blog/research/73660/adwind-faq/

Dridex

Dridex is a strain of banking malware that leverages macros in Microsoft Office to infect systems. Once a computer has been infected, Dridex attackers can steal banking credentials and other personal information on the system to gain access to the financial records of a user.

Dridex is also known as:

  • Cridex

Table 841. Table References

Links

http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/dridex-financial-trojan.pdf

Gamarue

Gamarue is also known as:

  • Andromeda

Table 842. Table References

Links

https://blog.gdatasoftware.com/2015/03/24274-the-andromeda-gamarue-botnet-is-on-the-rise-again

Necurs

The Necurs botnet is a distributor of many pieces of malware, most notably Locky.

Table 843. Table References

Links

https://en.wikipedia.org/wiki/Necurs_botnet

Akbot

Akbot is also known as:

  • Qbot

  • Qakbot

  • PinkSlipBot

Table 844. Table References

Links

https://en.wikipedia.org/wiki/Akbot

Upatre

Upatre is a Trojan downloader that is used to set up other threats on the victim’s PC. Upatre has been used recently in several high profile Trojan attacks involving the Gameover Trojan.

Vawtrak

Vawtrak is an information stealing malware family that is primarily used to gain unauthorised access to bank accounts through online banking websites.

Table 845. Table References

Links

https://www.sophos.com/medialibrary/PDFs/technical%20papers/sophos-vawtrak-international-crimeware-as-a-service-tpna.pdf

Empire

Empire is a pure PowerShell post-exploitation agent built on cryptologically-secure communications and a flexible architecture. Empire implements the ability to run PowerShell agents without needing powershell.exe, rapidly deployable post-exploitation modules ranging from key loggers to Mimikatz, and adaptable communications to evade network detection, all wrapped up in a usability-focused framework

Table 846. Table References

Links

https://github.com/adaptivethreat/Empire

Explosive

Beginning in late 2012, a carefully orchestrated attack campaign we call Volatile Cedar has been targeting individuals, companies and institutions worldwide. This campaign, led by a persistent attacker group, has successfully penetrated a large number of targets using various attack techniques, and specifically, a custom-made malware implant codenamed Explosive.

Table 847. Table References

Links

https://www.checkpoint.com/downloads/volatile-cedar-technical-report.pdf

KeyBoy

The actors used a new version of “KeyBoy,” a custom backdoor first disclosed by researchers at Rapid7 in June 2013. Their work outlined the capabilities of the backdoor, and exposed the protocols and algorithms used to hide the network communication and configuration data

Table 848. Table References

Links

https://citizenlab.org/2016/11/parliament-keyboy/

https://community.rapid7.com/community/infosec/blog/2013/06/07/keyboy-targeted-attacks-against-vietnam-and-india

Yahoyah

The attacks in this case are associated with a campaign called Tropic Trooper, which has been active since at least 2011 and is known for heavily targeting Taiwan. One of the attacks used their known Yahoyah malware…​

Yahoyah is also known as:

  • W32/Seeav

Table 849. Table References

Links

http://researchcenter.paloaltonetworks.com/2016/11/unit42-tropic-trooper-targets-taiwanese-government-and-fossil-fuel-provider-with-poison-ivy/

Tartine

Delphi RAT used by Sofacy.

Mirai

Mirai (Japanese for "the future") is malware that turns computer systems running Linux into remotely controlled "bots", that can be used as part of a botnet in large-scale network attacks. It primarily targets online consumer devices such as remote cameras and home routers. The Mirai botnet has been used in some of the largest and most disruptive distributed denial of service (DDoS) attacks, including an attack on 20 September 2016 on computer security journalist Brian Krebs’s web site, an attack on French web host OVH and the October 2016 Dyn cyberattack.

Mirai is also known as:

  • Linux/Mirai

Table 850. Table References

Links

https://en.wikipedia.org/wiki/Mirai_(malware)

BlackEnergy

BlackEnergy is a trojan which has undergone significant functional changes since it was first publicly analysed by Arbor Networks in 2007. It has evolved from a relatively simple DDoS trojan into a relatively sophisticated piece of modern malware with a modular architecture, making it a suitable tool for sending spam and for online bank fraud, as well as for targeted attacks. BlackEnergy version 2, which featured rootkit techniques, was documented by SecureWorks in 2010. The targeted attacks recently discovered are proof that the trojan is still alive and kicking in 2014. We provide a technical analysis of the BlackEnergy family, focusing on novel functionality and the differences introduced by new lite variants. We describe the most notable aspects of the malware, including its techniques for bypassing UAC, defeating the signed driver requirement in Windows and a selection of BlackEnergy2 plug-ins used for parasitic file infections, network discovery and remote code execution and data collection.

Table 851. Table References

Links

https://www.virusbulletin.com/conference/vb2014/abstracts/back-blackenergy-2014-targeted-attacks-ukraine-and-poland/

Trojan.Seaduke

Trojan.Seaduke is a Trojan horse that opens a back door on the compromised computer. It may also download potentially malicious files.

Trojan.Seaduke is also known as:

  • Seaduke

Table 852. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2015-031915-4935-99

GeminiDuke

GeminiDuke is malware that was used by APT29 from 2009 to 2012.

Table 855. Table References

Links

https://attack.mitre.org/wiki/Software/S0049

Zeus

Trojan.Zbot, also called Zeus, is a Trojan horse that attempts to steal confidential information from the compromised computer. It may also download configuration files and updates from the Internet. The Trojan is created using a Trojan-building toolkit.

Zeus is also known as:

  • Trojan.Zbot

  • Zbot

Table 856. Table References

Links

https://en.wikipedia.org/wiki/Zeus_(malware)

https://www.symantec.com/security_response/writeup.jsp?docid=2010-011016-3514-99

Shifu

Shifu is a Banking Trojan first discovered in 2015. Shifu is based on the Shiz source code which incorporated techniques used by Zeus. Attackers use Shifu to steal credentials for online banking websites around the world, starting in Russia but later including the UK, Italy, and others.

Table 857. Table References

Links

http://researchcenter.paloaltonetworks.com/2017/01/unit42-2016-updates-shifu-banking-trojan/

Shiz

The new variant of the Shiz Trojan malware targets mission-critical enterprise resource planning (ERP) applications — particularly SAP users.

Table 858. Table References

Links

https://securityintelligence.com/tag/shiz-trojan-malware/

MM Core

Also known as “BaneChant”, MM Core is a file-less APT which is executed in memory by a downloader component. It was first reported in 2013 under the version number “2.0-LNK” where it used the tag “BaneChant” in its command-and-control (C2) network request. A second version “2.1-LNK” with the network tag “StrangeLove” was discovered shortly after.

MM Core is also known as:

  • MM Core backdoor

  • BigBoss

  • SillyGoose

  • BaneChant

  • StrangeLove

Table 859. Table References

Links

https://blogs.forcepoint.com/security-labs/mm-core-memory-backdoor-returns-bigboss-and-sillygoose

Shamoon

Shamoon,[a] also known as Disttrack, is a modular computer virus discovered by Seculert[1] in 2012, targeting recent NT kernel-based versions of Microsoft Windows. The virus has been used for cyber espionage in the energy sector.[2][3][4] Its discovery was announced on 16 August 2012 by Symantec,[3] Kaspersky Lab,[5] and Seculert.[6] Similarities have been highlighted by Kaspersky Lab and Seculert between Shamoon and the Flame malware.[5][6]

Table 860. Table References

Links

https://en.wikipedia.org/wiki/Shamoon

GhostAdmin

According to MalwareHunterTeam and other researchers that have looked at the malware’s source code, GhostAdmin seems to be a reworked version of CrimeScene, another botnet malware family that was active around 3-4 years ago.

Table 861. Table References

Links

https://www.bleepingcomputer.com/news/security/new-ghostadmin-malware-used-for-data-theft-and-exfiltration/

EyePyramid Malware

Two Italians referred to as the “Occhionero brothers” have been arrested and accused of using malware and a carefully-prepared spear-phishing scheme to spy on high-profile politicians and businessmen. This case has been called “EyePyramid”, which we first discussed last week. (Conspiracy theories aside, the name came from a domain name and directory path that was found during the research.)

Table 862. Table References

Links

http://blog.trendmicro.com/trendlabs-security-intelligence/uncovering-inner-workings-eyepyramid/

LuminosityLink is a malware family costing $40 that purports to be a system administration utility

Table 863. Table References

Links

http://researchcenter.paloaltonetworks.com/2016/07/unit42-investigating-the-luminositylink-remote-access-trojan-configuration/

Flokibot

Floki Bot, described recently by Dr. Peter Stephenson from SC Magazine, is yet another bot based on the leaked Zeus code. However, the author came up with various custom modifications that makes it more interesting.

Flokibot is also known as:

  • Floki Bot

Table 864. Table References

Links

https://www.arbornetworks.com/blog/asert/flokibot-flock-bots/

https://blog.malwarebytes.com/threat-analysis/2016/11/floki-bot-and-the-stealthy-dropper/

ZeroT

Most recently, we have observed the same group targeting military and aerospace interests in Russia and Belarus. Since the summer of 2016, this group began using a new downloader known as ZeroT to install the PlugX remote access Trojan (RAT) and added Microsoft Compiled HTML Help (.chm) as one of the initial droppers delivered in spear-phishing emails.

Table 865. Table References

Links

https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zer